door_mat 0.0.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ad774be28584db37c0e422495fae8e21d1a0b9a2
+  data.tar.gz: cc7a4ed22545af0484c9fd9835afcabe478d06aa
+SHA512:
+  metadata.gz: b0eae2b29f15aa1f50b64e4e3a2e08ad392c8d98a8ffbea10dec2392f211c85d244b929d871026578445d9862ccee8ff06ff80e969d1ab42f02db700c2d4c092
+  data.tar.gz: 033e66535d3edc70d5f8e782fc36cd607eae95ff43495593a7111336ceeae0c5738043fab7461ffe568ff66cca13a4a42c7511d6e563c099596c0453d093bb16

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2014 Luc Lussier
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,88 @@
+# DoorMat
+
+Keeping keys safe since front doors have locks...
+
+
+### What is the DoorMat library?
+
+DoorMat is a Rails Engine that provides a solution for both user authentication and the encryption of user information. It aims to offer safe defaults so you can get going with what your website is really about.
+
+Although DoorMat is flexible and supports a variety of information sharing scenarios, its most basic configuration is such that _in the normal course of business_, the system operator does not have access to the user information protected by the encrypted store. The impact of this feature is that users must upload a recovery key file in order to reset their password should they forget it.
+
+
+### Security
+
+#### Read me first!
+**Disclaimer**: DoorMat is a fairly young and experimental library that could greatly benefit from the scrutiny of many eyes. Although care and efforts were taken while crafting this library, there is no doubt that it will contain various bugs. _Proceed with caution!_
+
+That being said, DoorMat aims to cover the basics and set sensible defaults while allowing customization.
+
+#### Batteries included
+DoorMat seeks to provide reasonable default configuration values for session management and data encryption. Many behaviour settings are biased toward security rather than a smooth user experience and may need to be relaxed depending on your site's security requirements.
+
+Although the initial default values may need to be updated, there should not be a need for the new user to select adequate values in order to harden the system. Rather, it should be secure by default and later customized to provide a better user experience.
+
+#### Crunchy on the Outside _and_ the Inside
+The reason for this emphasis is that although data theft by external actors get a lot of visibility in the press and makes for sensational news, [insider threats outrank external attacks](https://securityintelligence.com/the-threat-is-coming-from-inside-the-network/).
+
+One aspect of user data security addressed by DoorMat is that _in the normal course of business_, with the engine running in a `RAILS_ENV=production` environment using unaltered source code, the user information protected by the symmetric store is not accessible to the site operator.
+
+This means that by default, when a user creates an account, the site operator or any individual that gains access to the database cannot simply query the emails table to harvest user addresses. Each user's email address is encrypted using a key derived from their password.
+
+
+### Features
+
+DoorMat currently provides the following features out of the box:
+
+User side features
+- User account sign-up
+- Email address confirmation
+- Manage account email address (add, remove) for an account
+- Change password
+- Download password recovery key file
+- Reset forgotten password (using the recovery key file)
+- Public / private computer selection at login time
+- Remember me feature when a session is opened from a private computer
+- Terminate other active sessions (so you can remotely kill that session you forgot to close on the public library computer)
+
+System side features
+- Standard email / password based accounts
+- Alternative password less accounts with access control based on security tokens sent to users email address
+- User information stores using symmetric encryption. For password secured accounts only
+- Secret sharing store using asymmetric encryption
+- Before / after hooks for various user activities: sign up/in/out, etc.
+- Access restriction filters
+ - Only allow access to sessions from confirmed email address
+ - Require user to re-enter password for access to sensitive routes
+- Easy to override defaults
+ - Redirection after user activity success / failure
+ - Session / remember me expiration delay for public / private computer selection
+ - Maximum number of emails per account
+ - Maximum number of accounts a single email can be associated with (aka server side plausible deniability)
+ - etc.
+
+
+### Usage
+
+Run tests with `bundle exec rspec` and set `COVERAGE=true` to generate the coverage report after setting up the test database with `RAILS_ENV=test bundle exec rake db:drop db:create db:migrate`.
+
+See `spec/test_app` for a sample application illustrating the various DoorMat features. You can `bundle exec rails server -p3001` to run a local instance.
+
+You will also need to have [MailCatcher](https://mailcatcher.me/) running so you can confirm the email address you register with and to receive password less access tokens.
+Point one browser tab to `http://localhost:1080` to access your local email and a second one to `http://localhost:3001` to interact with the test application.
+
+Further sample usage will be released shortly!
+
+
+### Gem Version History
+
+**0.0.5 - Why so serious?** (April 4, 2016)
+
+* Initial public release.
+
+
+### License
+
+Copyright © 2016 Luc Lussier
+
+Released under the MIT license. See [MIT-LICENSE](MIT-LICENSE) for details.

data/Rakefile

@@ -0,0 +1,32 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DoorMat'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/test_app/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+Dir[File.join(File.dirname(__FILE__), 'tasks/**/*.rake')].each {|f| load f }
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task :default => :spec

data/app/assets/javascripts/door_mat/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/door_mat/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/assets/stylesheets/scaffold.css

@@ -0,0 +1,56 @@
+body { background-color: #fff; color: #333; }
+
+body, p, ol, ul, td {
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size:   13px;
+  line-height: 18px;
+}
+
+pre {
+  background-color: #eee;
+  padding: 10px;
+  font-size: 11px;
+}
+
+a { color: #000; }
+a:visited { color: #666; }
+a:hover { color: #fff; background-color:#000; }
+
+div.field, div.actions {
+  margin-bottom: 10px;
+}
+
+#notice {
+  color: green;
+}
+
+.field_with_errors {
+  padding: 2px;
+  background-color: red;
+  display: table;
+}
+
+#error_explanation {
+  width: 450px;
+  border: 2px solid red;
+  padding: 7px;
+  padding-bottom: 0;
+  margin-bottom: 20px;
+  background-color: #f0f0f0;
+}
+
+#error_explanation h2 {
+  text-align: left;
+  font-weight: bold;
+  padding: 5px 5px 5px 15px;
+  font-size: 12px;
+  margin: -7px;
+  margin-bottom: 0px;
+  background-color: #c00;
+  color: #fff;
+}
+
+#error_explanation ul li {
+  font-size: 12px;
+  list-style: square;
+}

data/app/controllers/door_mat/activities_controller.rb

@@ -0,0 +1,106 @@
+module DoorMat
+  class ActivitiesController < DoorMat::ApplicationController
+    before_action :require_password_reconfirm
+    before_action :require_confirmed_email, except: [:resend_email_confirmation, :confirm_email]
+    before_action :update_session_last_activity_time
+
+    def resend_email_confirmation
+      actor = DoorMat::Session.current_session.actor
+      encoded_email = params[:email]
+
+      email = actor.email_from_urlsafe_encoded(encoded_email)
+      if email.blank?
+        redirect_to config_url_redirect(:resend_email_confirmation_redirect_url)
+      else
+        if email.not_confirmed?
+          DoorMat::ActivityConfirmEmail.for(email, self)
+          redirect_to config_url_redirect(:resend_email_confirmation_redirect_url)
+        else
+          redirect_to config_url_redirect(:confirm_email_success_url)
+        end
+      end
+    end
+
+    # :email is a Base64.urlsafe_encode64 of a user email address
+    def confirm_email
+      before_confirm_email
+
+      actor = DoorMat::Session.current_session.actor
+      token = params[:token]
+      encoded_address = params[:email]
+
+      actor.with_lock do
+        actor.confirm_email_activities.each do |activity|
+          if activity.input_valid?(token, encoded_address)
+            if actor.has_primary_email?
+              activity.email.confirmed!
+            else
+              activity.email.primary!
+            end
+            activity.done!
+            flash[:notice] = "Email was confirmed."
+
+            redirect_to config_url_redirect(:confirm_email_success_url)
+            after_confirm_email(activity.email)
+            return
+          end
+        end
+      end
+
+      after_failed_confirm_email
+      lockdown(log_message: 'ERROR: failed request to confirm_email')
+    end
+
+    def download_recovery_key
+      before_download_recovery_key
+
+      actor = DoorMat::Session.current_session.actor
+      token = params[:token]
+      disposition = params[:disposition]
+
+      disposition = 'attachment' unless disposition.to_s == 'inline'
+
+      actor.with_lock do
+        actor.download_recovery_key_activities.each do |activity|
+          if activity.input_valid?(token)
+
+            recovery_key = DoorMat::Session.current_session.package_recovery_key
+
+            send_data recovery_key, filename: "recovery_key_#{Date.current.strftime("%Y%m%d")}.txt", disposition: disposition
+
+            activity.done!
+            flash[:notice] = "Keep this recovery key file safely, you will need it to recover your data in case you forget your password."
+            after_download_recovery_key
+            return
+          end
+        end
+      end
+
+      after_failed_download_recovery_key
+      lockdown(log_message: 'ERROR: failed request to download_recovery_key')
+    end
+
+    private
+
+    def before_confirm_email
+      DoorMat.configuration.event_hook_before_confirm_email.each {|prc| prc.call}
+    end
+    def after_confirm_email(email)
+      DoorMat.configuration.event_hook_after_confirm_email.each {|prc| prc.call(email)}
+    end
+    def after_failed_confirm_email
+      DoorMat.configuration.event_hook_after_failed_confirm_email.each {|prc| prc.call}
+    end
+
+    def before_download_recovery_key
+      DoorMat.configuration.event_hook_before_download_recovery_key.each {|prc| prc.call}
+    end
+    def after_download_recovery_key
+      DoorMat.configuration.event_hook_after_download_recovery_key.each {|prc| prc.call}
+    end
+    def after_failed_download_recovery_key
+      DoorMat.configuration.event_hook_after_failed_download_recovery_key.each {|prc| prc.call}
+    end
+
+  end
+end

data/app/controllers/door_mat/application_controller.rb

@@ -0,0 +1,14 @@
+module DoorMat
+  class ApplicationController < ActionController::Base
+
+    # Make the engine use the main_app layouts/application file and helpers
+    layout 'layouts/application'
+    helper Rails.application.helpers
+
+    include DoorMat::Controller
+    before_action :require_valid_session
+
+    protect_from_forgery with: :exception
+
+  end
+end

data/app/controllers/door_mat/change_password_controller.rb

@@ -0,0 +1,32 @@
+module DoorMat
+  class ChangePasswordController < DoorMat::ApplicationController
+    before_action :require_confirmed_email
+    before_action :update_session_last_activity_time
+
+    def new
+      @change_password = DoorMat::ChangePassword.new
+    end
+
+    def create
+      @change_password = DoorMat::ChangePassword.new(change_password_params)
+      actor = DoorMat::Session.current_session.actor
+
+      if @change_password.valid? && DoorMat::Process::ActorPasswordChange.with(actor, @change_password.new_password, @change_password.old_password)
+        DoorMat::Session.current_session.set_up(cookies)
+        flash[:notice] = I18n.t('door_mat.change_password.success')
+
+        redirect_to config_url_redirect(:change_password_success_url)
+      else
+        flash[:alert] = I18n.t('door_mat.change_password.failed')
+        render :new
+      end
+    end
+
+    private
+
+    def change_password_params
+      params.require(:change_password).permit(:old_password, :new_password, :new_password_confirmation)
+    end
+
+  end
+end

data/app/controllers/door_mat/forgot_passwords_controller.rb

@@ -0,0 +1,57 @@
+module DoorMat
+  class ForgotPasswordsController < DoorMat::ApplicationController
+    skip_before_action :require_valid_session, :only => [:new, :create, :choose_new_password, :reset_password]
+
+    def new
+      @forgot_password = DoorMat::ForgotPassword.new
+    end
+
+    # :email is a Base64.urlsafe_encode64 of a user email address
+    def create
+      @forgot_password = DoorMat::ForgotPassword.new(forgot_password_params)
+      @forgot_password.password = @forgot_password.password_confirmation = '-'
+
+      if @forgot_password.valid?
+        DoorMat::Process::ResetPassword.for(@forgot_password.email, self)
+
+        # No matter what, requester gets the same response
+        redirect_to config_url_redirect(:forgot_password_verification_mail_sent_url)
+      else
+        render :new
+      end
+    end
+
+    def choose_new_password
+      @forgot_password = DoorMat::ForgotPassword.new(choose_new_password_params)
+      @forgot_password.email = DoorMat::Email.decode_urlsafe(@forgot_password.email)
+    end
+
+    def reset_password
+      @forgot_password = DoorMat::ForgotPassword.new(reset_password_params)
+      if @forgot_password.valid?
+        if DoorMat::Process::ResetPassword.with(@forgot_password)
+        redirect_to door_mat.sign_in_url
+        else
+          flash[:alert] = I18n.t('door_mat.forgot_password.make_new_request')
+          redirect_to door_mat.forgot_password_url
+        end
+
+      else
+        render :choose_new_password
+      end
+    end
+
+    private
+
+    def forgot_password_params
+      params.require(:forgot_password).permit(:email)
+    end
+    def choose_new_password_params
+      params.permit(:email, :token)
+    end
+    def reset_password_params
+      params.require(:forgot_password).permit(:email, :password, :password_confirmation, :recovery_key, :token)
+    end
+
+  end
+end