graphql_devise 0.13.5 → 0.13.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/config/locales/en.yml +1 -1
- data/lib/graphql_devise/concerns/controller_methods.rb +6 -0
- data/lib/graphql_devise/mutations/resend_confirmation.rb +2 -0
- data/lib/graphql_devise/mutations/send_password_reset.rb +2 -0
- data/lib/graphql_devise/mutations/sign_up.rb +1 -3
- data/lib/graphql_devise/resolvers/check_password_token.rb +1 -0
- data/lib/graphql_devise/resolvers/confirm_account.rb +2 -0
- data/lib/graphql_devise/version.rb +1 -1
- data/spec/dummy/config/initializers/devise_token_auth.rb +2 -0
- data/spec/requests/mutations/additional_mutations_spec.rb +0 -1
- data/spec/requests/mutations/resend_confirmation_spec.rb +16 -1
- data/spec/requests/mutations/send_password_reset_spec.rb +16 -1
- data/spec/requests/mutations/sign_up_spec.rb +19 -1
- data/spec/requests/queries/check_password_token_spec.rb +15 -0
- data/spec/requests/queries/confirm_account_spec.rb +17 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e90de970ae686dd8437156a6d830b922c1fe4369c10206532073e5bb3f8f75f8
|
|
4
|
+
data.tar.gz: 3a74fe59c81889eb9f5a4bb42710d4cb7e086b9a9bdbd0e9bd09a370ccd7f435
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0f608b88cf17acc4e8c4d7d54fb4d578afb38d2c7f7a73b9df2cee7b9661cdb6a35b1b45e4a6d7c05e022a334f6c7ed8bf1427b301422c2e27f191a830dde621
|
|
7
|
+
data.tar.gz: 5d5bc1eab5158c5134f18a7f2f85e0653139ee13d67c45efb7050274d41ed6f1a5c2dee0c97c57ca987bd7f74556cbca9ae478b7782aee28f5967308d7bd3c92
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v0.13.6](https://github.com/graphql-devise/graphql_devise/tree/v0.13.6) (2020-12-22)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.5...v0.13.6)
|
|
6
|
+
|
|
7
|
+
**Security fixes:**
|
|
8
|
+
|
|
9
|
+
- Possible security issue with password reset and redirectUrl [\#136](https://github.com/graphql-devise/graphql_devise/issues/136)
|
|
10
|
+
- Add redirect whitelist validation to all queries and mutations [\#140](https://github.com/graphql-devise/graphql_devise/pull/140) ([mcelicalderon](https://github.com/mcelicalderon))
|
|
11
|
+
|
|
3
12
|
## [v0.13.5](https://github.com/graphql-devise/graphql_devise/tree/v0.13.5) (2020-11-20)
|
|
4
13
|
|
|
5
14
|
[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.4...v0.13.5)
|
data/config/locales/en.yml
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
en:
|
|
2
2
|
graphql_devise:
|
|
3
|
+
redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
|
|
3
4
|
registration_failed: "User couldn't be registered"
|
|
4
5
|
resource_build_failed: "Resource couldn't be built, execution stopped."
|
|
5
6
|
not_authenticated: "User is not logged in."
|
|
@@ -7,7 +8,6 @@ en:
|
|
|
7
8
|
invalid_resource: "Errors present in the resource."
|
|
8
9
|
registrations:
|
|
9
10
|
missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
|
|
10
|
-
redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
|
|
11
11
|
passwords:
|
|
12
12
|
update_password_error: "Unable to update user password"
|
|
13
13
|
missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
|
|
@@ -7,6 +7,12 @@ module GraphqlDevise
|
|
|
7
7
|
|
|
8
8
|
private
|
|
9
9
|
|
|
10
|
+
def check_redirect_url_whitelist!(redirect_url)
|
|
11
|
+
if blacklisted_redirect_url?(redirect_url)
|
|
12
|
+
raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
10
16
|
def raise_user_error(message)
|
|
11
17
|
raise GraphqlDevise::UserError, message
|
|
12
18
|
end
|
|
@@ -22,9 +22,7 @@ module GraphqlDevise
|
|
|
22
22
|
raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
-
|
|
26
|
-
raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
|
|
27
|
-
end
|
|
25
|
+
check_redirect_url_whitelist!(redirect_url)
|
|
28
26
|
|
|
29
27
|
resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
|
|
30
28
|
|
|
@@ -7,6 +7,8 @@ module GraphqlDevise
|
|
|
7
7
|
argument :redirect_url, String, required: true
|
|
8
8
|
|
|
9
9
|
def resolve(confirmation_token:, redirect_url:)
|
|
10
|
+
check_redirect_url_whitelist!(redirect_url)
|
|
11
|
+
|
|
10
12
|
resource = resource_class.confirm_by_token(confirmation_token)
|
|
11
13
|
|
|
12
14
|
if resource.errors.empty?
|
|
@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
|
|
|
39
39
|
|
|
40
40
|
config.default_confirm_success_url = 'https://google.com'
|
|
41
41
|
|
|
42
|
+
config.redirect_whitelist = ['https://google.com']
|
|
43
|
+
|
|
42
44
|
# By default we will use callbacks for single omniauth.
|
|
43
45
|
# It depends on fields like email, provider and uid.
|
|
44
46
|
# config.default_callbacks = true
|
|
@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
|
|
|
9
9
|
let(:password) { Faker::Internet.password }
|
|
10
10
|
let(:password_confirmation) { password }
|
|
11
11
|
let(:email) { Faker::Internet.email }
|
|
12
|
-
let(:redirect) { Faker::Internet.url }
|
|
13
12
|
|
|
14
13
|
context 'when using the user model' do
|
|
15
14
|
let(:query) do
|
|
@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
|
|
|
9
9
|
let!(:user) { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
|
|
10
10
|
let(:email) { user.email }
|
|
11
11
|
let(:id) { user.id }
|
|
12
|
-
let(:redirect) {
|
|
12
|
+
let(:redirect) { 'https://google.com' }
|
|
13
13
|
let(:query) do
|
|
14
14
|
<<-GRAPHQL
|
|
15
15
|
mutation {
|
|
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
|
|
|
23
23
|
GRAPHQL
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
+
context 'when redirect_url is not whitelisted' do
|
|
27
|
+
let(:redirect) { 'https://not-safe.com' }
|
|
28
|
+
|
|
29
|
+
it 'returns a not whitelisted redirect url error' do
|
|
30
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
|
31
|
+
|
|
32
|
+
expect(json_response[:errors]).to containing_exactly(
|
|
33
|
+
hash_including(
|
|
34
|
+
message: "Redirect to '#{redirect}' not allowed.",
|
|
35
|
+
extensions: { code: 'USER_ERROR' }
|
|
36
|
+
)
|
|
37
|
+
)
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
26
41
|
context 'when params are correct' do
|
|
27
42
|
context 'when using the gem schema' do
|
|
28
43
|
it 'sends an email to the user with confirmation url and returns a success message' do
|
|
@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
|
|
|
7
7
|
|
|
8
8
|
let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
|
|
9
9
|
let(:email) { user.email }
|
|
10
|
-
let(:redirect_url) {
|
|
10
|
+
let(:redirect_url) { 'https://google.com' }
|
|
11
11
|
let(:query) do
|
|
12
12
|
<<-GRAPHQL
|
|
13
13
|
mutation {
|
|
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
|
|
|
21
21
|
GRAPHQL
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
+
context 'when redirect_url is not whitelisted' do
|
|
25
|
+
let(:redirect_url) { 'https://not-safe.com' }
|
|
26
|
+
|
|
27
|
+
it 'returns a not whitelisted redirect url error' do
|
|
28
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
|
29
|
+
|
|
30
|
+
expect(json_response[:errors]).to containing_exactly(
|
|
31
|
+
hash_including(
|
|
32
|
+
message: "Redirect to '#{redirect_url}' not allowed.",
|
|
33
|
+
extensions: { code: 'USER_ERROR' }
|
|
34
|
+
)
|
|
35
|
+
)
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
|
|
24
39
|
context 'when params are correct' do
|
|
25
40
|
context 'when using the gem schema' do
|
|
26
41
|
it 'sends password reset email' do
|
|
@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
|
|
|
8
8
|
let(:name) { Faker::Name.name }
|
|
9
9
|
let(:password) { Faker::Internet.password }
|
|
10
10
|
let(:email) { Faker::Internet.email }
|
|
11
|
-
let(:redirect) {
|
|
11
|
+
let(:redirect) { 'https://google.com' }
|
|
12
12
|
|
|
13
13
|
context 'when using the user model' do
|
|
14
14
|
let(:query) do
|
|
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
|
|
|
31
31
|
GRAPHQL
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
+
context 'when redirect_url is not whitelisted' do
|
|
35
|
+
let(:redirect) { 'https://not-safe.com' }
|
|
36
|
+
|
|
37
|
+
it 'returns a not whitelisted redirect url error' do
|
|
38
|
+
expect { post_request }.to(
|
|
39
|
+
not_change(User, :count)
|
|
40
|
+
.and(not_change(ActionMailer::Base.deliveries, :count))
|
|
41
|
+
)
|
|
42
|
+
|
|
43
|
+
expect(json_response[:errors]).to containing_exactly(
|
|
44
|
+
hash_including(
|
|
45
|
+
message: "Redirect to '#{redirect}' not allowed.",
|
|
46
|
+
extensions: { code: 'USER_ERROR' }
|
|
47
|
+
)
|
|
48
|
+
)
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
34
52
|
context 'when params are correct' do
|
|
35
53
|
it 'creates a new resource that requires confirmation' do
|
|
36
54
|
expect { post_request }.to(
|
|
@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
|
|
|
54
54
|
expect(response.body).to include('uid=')
|
|
55
55
|
expect(response.body).to include('expiry=')
|
|
56
56
|
end
|
|
57
|
+
|
|
58
|
+
context 'when redirect_url is not whitelisted' do
|
|
59
|
+
let(:redirect_url) { 'https://not-safe.com' }
|
|
60
|
+
|
|
61
|
+
before { post_request }
|
|
62
|
+
|
|
63
|
+
it 'returns a not whitelisted redirect url error' do
|
|
64
|
+
expect(json_response[:errors]).to containing_exactly(
|
|
65
|
+
hash_including(
|
|
66
|
+
message: "Redirect to '#{redirect_url}' not allowed.",
|
|
67
|
+
extensions: { code: 'USER_ERROR' }
|
|
68
|
+
)
|
|
69
|
+
)
|
|
70
|
+
end
|
|
71
|
+
end
|
|
57
72
|
end
|
|
58
73
|
|
|
59
74
|
context 'when token has expired' do
|
|
@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
|
|
|
7
7
|
|
|
8
8
|
context 'when using the user model' do
|
|
9
9
|
let(:user) { create(:user, confirmed_at: nil) }
|
|
10
|
-
let(:redirect) {
|
|
10
|
+
let(:redirect) { 'https://google.com' }
|
|
11
11
|
let(:query) do
|
|
12
12
|
<<-GRAPHQL
|
|
13
13
|
{
|
|
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
|
|
|
43
43
|
expect(user).to be_active_for_authentication
|
|
44
44
|
end
|
|
45
45
|
|
|
46
|
+
context 'when redirect_url is not whitelisted' do
|
|
47
|
+
let(:redirect) { 'https://not-safe.com' }
|
|
48
|
+
|
|
49
|
+
it 'returns a not whitelisted redirect url error' do
|
|
50
|
+
expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
|
|
51
|
+
|
|
52
|
+
expect(json_response[:errors]).to containing_exactly(
|
|
53
|
+
hash_including(
|
|
54
|
+
message: "Redirect to '#{redirect}' not allowed.",
|
|
55
|
+
extensions: { code: 'USER_ERROR' }
|
|
56
|
+
)
|
|
57
|
+
)
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
46
61
|
context 'when unconfirmed_email is present' do
|
|
47
62
|
let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
|
|
48
63
|
|
|
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
|
|
|
81
96
|
|
|
82
97
|
context 'when using the admin model' do
|
|
83
98
|
let(:admin) { create(:admin, confirmed_at: nil) }
|
|
84
|
-
let(:redirect) {
|
|
99
|
+
let(:redirect) { 'https://google.com' }
|
|
85
100
|
let(:query) do
|
|
86
101
|
<<-GRAPHQL
|
|
87
102
|
{
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: graphql_devise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.13.
|
|
4
|
+
version: 0.13.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mario Celi
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-
|
|
12
|
+
date: 2020-12-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: devise_token_auth
|