janus 0.9.0 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fea9943c78cce6d222a79c9038f4cfed503eb2f2
-  data.tar.gz: 7a40e9798588323ba8318b845395a4384d77f59d
+  metadata.gz: efac9f377f862b38faf519a989cdbeccc08251c8
+  data.tar.gz: 40c57afe330efb056c7ed7e2219c5d0968fc0cf6
 SHA512:
-  metadata.gz: a13b710c833af906688fc9bc8dce633c9cc4d54f7c31563fdf25d8828ece45c490b8fe550f84c0f0e4f21bc42c8570fa211a5112f7db13eb97c8ea18bd4e661a
-  data.tar.gz: 8aecfa6247cc1acc5e8ad016106ef596b6e6676458be3d3f95bf883775f120a0dc0bc1e70cb5946113aa0b15c6eb347dc8019d23a467fa254829a173fd7747a8
+  metadata.gz: ff9cd1ececaa6405979cc93693788311c387743951817b49fde59ac7501ac8366b236ae620469ab721d2140dfb87f73c95ed792dec34678fddc62b8240e8ffeb
+  data.tar.gz: 2b94e5e8545101c77a20044ac59fb2b05671cc3943948fe405225db692b2bd7de1f4df06662c77ba5e053fd7e6f031198ab9401c360f6fd187798eb7cf45a699

data/.travis.yml

@@ -3,8 +3,7 @@ script: bundle exec rake test
 
 rvm:
   - 1.9.3
-  - 2.0.0
-  - 2.1.0
+  - 2.1.2
 
 gemfile:
   - Gemfile
@@ -13,6 +12,12 @@ gemfile:
   - gemfiles/Gemfile.rails-head
 
 matrix:
+  exclude:
+    - rvm: 1.9.3
+      gemfile: gemfiles/Gemfile.rails-head
   allow_failures:
     - gemfile: gemfiles/Gemfile.rails-head
 
+env:
+  global:
+    - NOKOGIRI_USE_SYSTEM_LIBRARIES=1

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+v0.9.1
+
+- Fixed compatibility with the latest Rails 4.0 and 4.1 releases that fixed a
+  bug with strong parameters. See 5b5a7e7
+- `Janus::SessionsController#valid_host?(host)` to interrupt a blind redirection
+  when `params[:return_to]` is the current host. See b120010.
+
+Compare: https://github.com/ysbaddaden/janus/compare/v0.9.0...v0.9.1

data/README.rdoc

@@ -33,22 +33,23 @@ As for the strategies and hooks:
 
 == Getting Started
 
-First add the janus gem to your Gemfile, then run `bundle` to install it:
+First add the janus gem to your Gemfile, then run +bundle+ to install it:
 
   gem 'janus'
-  gem 'bcrypt-ruby'
+  gem 'bcrypt'
   # gem 'scrypt'
 
-You'll also need either the `bcrypt-ruby` or scrypt` gems, depending on which
-library you want to use to encrypt the passwords. Janus uses bcrypt by default,
+You also need either the bcrypt or scrypt gems, depending on which library
+you want to use to encrypt the passwords. Janus uses bcrypt by default,
 to be compatible with Devise, but you may prefer scrypt, which is stronger.
 
 Run the <tt>janus:install</tt> generator to setup janus in your app:
 
   $ rails generate janus:install
 
-If you are running Rails 4.1+ you must add a `secret_pepper` to your
-`config/secrets.yml` file after generating a secure token with `rake secret`:
+If you are running Rails 4.1+ you must add a <tt>secret_pepper</tt> to your
+<tt>config/secrets.yml</tt> file after generating a secure token with
+<tt>rake secret</tt>:
 
   # config/secrets.yml
   development:
@@ -62,8 +63,8 @@ If you are running Rails 4.1+ you must add a `secret_pepper` to your
     secret_pepper: ENV["SECRET_PEPPER"]
 
 If you are running a previous version of Rails, then you should edit
-`config/initializers/janus.rb` to use an environment variable instead of the
-generated token.
+<tt>config/initializers/janus.rb</tt> to use an environment variable instead of
+the generated token.
 
 Then create your first authenticatable resource, let's say +User+:
 

data/VERSION

@@ -1 +1 @@
-0.9.0
+0.9.1

data/janus.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |gem|
 
   gem.add_development_dependency 'rails', '>= 3.0.0'
   gem.add_development_dependency 'sqlite3'
-  gem.add_development_dependency 'bcrypt-ruby'
+  gem.add_development_dependency 'bcrypt'
   gem.add_development_dependency 'scrypt'
   gem.add_development_dependency 'minitest'
   gem.add_development_dependency 'capybara'

data/lib/janus/controllers/confirmations_controller.rb

@@ -38,7 +38,7 @@ class Janus::ConfirmationsController < ApplicationController
   end
 
   def create
-    self.resource = resource_class.find_for_database_authentication(params[resource_name])
+    self.resource = resource_class.find_for_database_authentication(resource_authentication_params)
 
     if resource
       deliver_confirmation_instructions(resource)

data/lib/janus/controllers/internal_helpers.rb

@@ -43,6 +43,14 @@ module Janus
       janus_scope
     end
 
+    def resource_authentication_params
+      if params.respond_to?(:permit)
+        params.require(janus_scope).permit(*resource_class.authentication_keys)
+      else
+        params[janus_scope].slice(*resource_class.authentication_keys)
+      end
+    end
+
     # Returns the `UserMailer` class (or `AdminMailer` or whatever) as detected
     # by janus_scope.
     def mailer_class

data/lib/janus/controllers/passwords_controller.rb

@@ -11,7 +11,7 @@ class Janus::PasswordsController < ApplicationController
   end
 
   def create
-    self.resource = resource_class.find_for_database_authentication(params[resource_name])
+    self.resource = resource_class.find_for_database_authentication(resource_authentication_params)
 
     if resource
       resource.generate_reset_password_token!

data/lib/janus/controllers/sessions_controller.rb

@@ -27,7 +27,7 @@ class Janus::SessionsController < ApplicationController
   end
 
   def create
-    self.resource = resource_class.find_for_database_authentication(params[resource_name])
+    self.resource = resource_class.find_for_database_authentication(resource_authentication_params)
 
     if resource && resource.valid_password?(params[resource_name][:password])
       janus.login(resource, :scope => janus_scope, :rememberable => params[:remember_me])
@@ -39,7 +39,7 @@ class Janus::SessionsController < ApplicationController
     else
       respond_to do |format|
         format.html do
-          self.resource ||= resource_class.new(resource_params)
+          self.resource ||= resource_class.new(resource_authentication_params)
           resource.clean_up_passwords
           resource.errors.add(:base, :not_found)
           render "new", :status => :unauthorized
@@ -71,7 +71,16 @@ class Janus::SessionsController < ApplicationController
     root_url
   end
 
-  # Returns true if host is known and that we allow to redirect the user
+  # Returns true if host is request.host. You may want to overwrite this method
+  # to check if a user can access the current host and return false otherwise.
+  #
+  # For instance when a user signed in from a subdomain she can't access, and
+  # you want to redirect her to another subdomain.
+  def valid_host?(host)
+    host == request.host
+  end
+
+  # Must return true if host is known and we allow to redirect the user
   # with an auth_token.
   #
   # Warning: must be overwritten by child classes because it always
@@ -108,17 +117,23 @@ class Janus::SessionsController < ApplicationController
   # to this URL or not, in order to secure auth tokens for
   # RemoteAuthenticatable to leak into the wild.
   def redirect_after_sign_in(user)
-    unless params[:return_to].blank?
+    if params[:return_to].present?
       return_to = Addressable::URI.parse(params[:return_to])
 
       unless never_return_to(user).include?(return_to.path)
-        if return_to.host.nil? || return_to.host == request.host
+        # path or same host redirection
+        if valid_host?(return_to.host || request.host)
           redirect_to params[:return_to]
           return
-        elsif valid_remote_host?(return_to.host)
+        end
+
+        # external host redirection
+        if valid_remote_host?(return_to.host)
           if user.class.include?(Janus::Models::RemoteAuthenticatable)
             query = return_to.query_values || {}
-            return_to.query_values = query.merge(user.class.remote_authentication_key => user.generate_remote_token!)
+            return_to.query_values = query.merge(
+              user.class.remote_authentication_key => user.generate_remote_token!
+            )
           end
 
           redirect_to return_to.to_s
@@ -129,12 +144,4 @@ class Janus::SessionsController < ApplicationController
 
     redirect_to after_sign_in_url(user)
   end
-
-  def resource_params
-    if params.respond_to?(:permit)
-      params.require(janus_scope).permit(*resource_class.authentication_keys)
-    else
-      params[janus_scope].slice(*resource_class.authentication_keys)
-    end
-  end
 end

data/test/functional/users/sessions_controller_test.rb

@@ -48,6 +48,13 @@ class Users::SessionsControllerTest < ActionController::TestCase
     assert_authenticated(:user)
   end
 
+  test "create should skip redirect on invalid host" do
+    request.host = "invalid.test.host"
+    post :create, :user => @valid, :return_to => root_path
+    assert_redirected_to user_url
+    assert_authenticated(:user)
+  end
+
   test "create should not redirect to unknown host" do
     post :create, :user => @valid, :return_to => root_url(:host => 'www.bad-host.com')
     assert_redirected_to user_url

data/test/rails_app/app/controllers/users/sessions_controller.rb

@@ -5,6 +5,10 @@ class Users::SessionsController < Janus::SessionsController
     user_url
   end
 
+  def valid_host?(host)
+    super && host != "invalid.test.host"
+  end
+
   def valid_remote_host?(host)
     ['www.example.com', 'test.host'].include?(host)
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: janus
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.1
 platform: ruby
 authors:
 - Julien Portalier
@@ -30,7 +30,7 @@ cert_chain:
   KVqCN//9bevjMk5OiMi9X3Wu/GtVWDwC6OTWFWKd54KgbuWlakO8LC1SMmStnCIF
   W4qpyMWMZMcB4ZN/0mUVzY5xwrislBtsmQVUSw==
   -----END CERTIFICATE-----
-date: 2014-04-22 00:00:00.000000000 Z
+date: 2014-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -75,7 +75,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bcrypt-ruby
+  name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -139,6 +139,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - LICENSE
 - README.rdoc
 - Rakefile