quo_vadis 1.3.2 → 2.0.1

data/test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb

@@ -0,0 +1,8 @@
+Two-factor authentication was deactivated on your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb

@@ -0,0 +1,25 @@
+<h1>Reset password</h1>
+
+<% if @password.errors.any? %>
+  <ul>
+    <% @password.errors.full_messages.each do |msg| %>
+      <li><%= msg %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<%= form_with url: password_reset_path(params[:token]), method: :put do |f| %>
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/password_resets/index.html.erb

@@ -0,0 +1,5 @@
+<h1>Password reset</h1>
+
+<p>Please check your email.</p>
+
+<p><%= link_to 'Request a new email', new_password_reset_path %></p>

data/test/dummy/app/views/quo_vadis/password_resets/new.html.erb

@@ -0,0 +1,12 @@
+<h1>Reset password</h1>
+
+<%= form_with url: password_resets_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/passwords/edit.html.erb

@@ -0,0 +1,30 @@
+<h1>Change password</h1>
+
+<% if @password.errors.any? %>
+  <ul>
+    <% @password.errors.full_messages.each do |msg| %>
+      <li><%= msg %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+<%= form_with url: password_path, method: :put do |f| %>
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'current-password' %>
+  </p>
+
+  <p>
+    <%= f.label :new_password %>
+    <%= f.password_field :new_password, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.label :new_password_confirmation %>
+    <%= f.password_field :new_password_confirmation, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb

@@ -0,0 +1,11 @@
+<h1>2FA: Recovery code</h1>
+
+<p>Enter one of your recovery codes:</p>
+
+<%= form_with url: authenticate_recovery_codes_path, method: :post do |f| %>
+  <%= f.text_field :code, inputmode: 'decimal', autofocus: true, maxlength: '11' %>
+
+  <%= f.submit 'Verify' %>
+<% end %>
+
+<p><%= link_to 'Never mind, I want to use my TOTP verification code!', quo_vadis.challenge_totps_path %></p>

data/test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb

@@ -0,0 +1,25 @@
+<h1>2FA: Recovery codes</h1>
+
+<p>If you lose your authenticator app, you can use recovery codes instead while you set up a new authenticator app.</p>
+
+<p>Each code can only be used once.</p>
+
+<% if @codes.present? %>
+
+  <p>This is the only time these codes can be shown to you!  We recommend you print them out and store them somewhere safely – but not next to your 2FA details in your authenticator app.</p>
+
+  <ul>
+    <% @codes.each do |code| %>
+      <li><tt><%= code %></tt></li>
+    <% end %>
+  </ul>
+
+<% else %>
+
+  <p>You have <%= pluralize @recovery_code_count, 'recovery code' %> left.</p>
+
+<% end %>
+
+<p>You can generate a fresh set of recovery codes whenever you like.</p>
+
+<p><%= button_to 'Generate a fresh set of recovery codes', generate_recovery_codes_path %></p>

data/test/dummy/app/views/quo_vadis/sessions/index.html.erb

@@ -0,0 +1,26 @@
+<h1>Sessions</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>IP</th>
+      <th>User agent</th>
+      <th></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @qv_sessions.each do |sess| %>
+      <tr>
+        <td><%= sess.ip %></td>
+        <td><%= sess.user_agent %></td>
+        <td>
+          <% if sess.id == @qv_session.id %>
+            This session
+          <% else %>
+            <%= button_to 'Log out', quo_vadis.session_path(sess), method: :delete %>
+          <% end %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/test/dummy/app/views/quo_vadis/sessions/new.html.erb

@@ -0,0 +1,24 @@
+<h1>Login</h1>
+
+<%= form_with url: login_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'current-password' %>
+  </p>
+
+  <p>
+    <%= f.label :remember %>
+    <%= f.check_box :remember %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>
+
+<%= link_to 'I forgot my password', new_password_reset_path %>

data/test/dummy/app/views/quo_vadis/totps/challenge.html.erb

@@ -0,0 +1,11 @@
+<h1>2FA</h1>
+
+<p>Enter the 6 digit code generated by your authenticator:</p>
+
+<%= form_with url: authenticate_totps_path, method: :post do |f| %>
+  <%= f.text_field :totp, inputmode: 'decimal', autocomplete: 'one-time-code', autofocus: true, maxlength: '6' %>
+
+  <%= f.submit 'Verify' %>
+<% end %>
+
+<p><%= link_to 'I want to use a recovery code instead.', quo_vadis.challenge_recovery_codes_path %></p>

data/test/dummy/app/views/quo_vadis/totps/new.html.erb

@@ -0,0 +1,17 @@
+<h1>2FA: TOTP setup</h1>
+
+<p>1. With your authenticator app, either scan this QR code or enter the text: <pre><%= @totp.key %></pre></p>
+
+<%== @totp.qr_code.as_svg module_size: 5 %>
+
+
+<p>2. Enter the 6 digit code generated by your authenticator, to check it worked:</p>
+
+<%= form_with model: @totp do |f| %>
+  <%= f.hidden_field :key %>
+  <%= f.hidden_field :hmac_key %>
+
+  <%= f.text_field :otp, inputmode: 'decimal', autocomplete: 'one-time-code', autofocus: true, maxlength: '6' %>
+
+  <%= f.submit 'Confirm' %>
+<% end %>

data/test/dummy/app/views/quo_vadis/twofas/show.html.erb

@@ -0,0 +1,20 @@
+<h1>2FA</h1>
+
+<% if authenticated_model.qv_account.has_two_factors? %>
+
+  <p>You have set up 2FA.</p>
+  <p><%= button_to 'Deactivate your 2FA credentials', twofa_path, method: :delete %></p>
+
+<% else %>
+
+  <p>You do not have 2FA set up.</p>
+  <% if QuoVadis.two_factor_authentication_mandatory %>
+    <p>Please <%= link_to 'set it up', new_totp_path %> now.</p>
+  <% else %>
+    <p>You can <%= link_to 'set it up', new_totp_path %> if you like.</p>
+  <% end %>
+
+<% end %>
+
+
+<p> You have <%= link_to pluralize(@recovery_codes_count, 'recovery code'), recovery_codes_path %> left.</p>

data/test/dummy/app/views/sign_ups/new.html.erb

@@ -0,0 +1,37 @@
+<h1>New sign up (with confirmation)</h1>
+
+
+<% if @user.errors.any? %>
+  <ul>
+    <% @user.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+
+<%= form_with model: @user, url: sign_ups_path do |f| %>
+  <p>
+    <%= f.label :name %>
+    <%= f.text_field :name %>
+  </p>
+
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email %>
+  </p>
+
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password %>
+  </p>
+
+  <p>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/sign_ups/show.html.erb

@@ -0,0 +1,5 @@
+<h1>User</h1>
+
+<p><%= @user.name %></p>
+
+<p><%= @user.email %></p>

data/test/dummy/app/views/users/new.html.erb

@@ -1,14 +1,37 @@
-<h1>Sign up</h1>
+<h1>New user (without confirmation)</h1>
 
-<%= form_for @user do |f| %>
-  <%= f.label :name %>
-  <%= f.text_field :name %>
 
-  <%= f.label :username %>
-  <%= f.text_field :username %>
+<% if @user.errors.any? %>
+  <ul>
+    <% @user.errors.full_messages.each do |message| %>
+      <li><%= message %></li>
+    <% end %>
+  </ul>
+<% end %>
+
+
+<%= form_with model: @user do |f| %>
+  <p>
+    <%= f.label :name %>
+    <%= f.text_field :name %>
+  </p>
+
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email %>
+  </p>
+
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password %>
+  </p>
 
-  <%= f.label :password %>
-  <%= f.password_field :password %>
+  <p>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation %>
+  </p>
 
-  <%= f.submit 'Sign up' %>
+  <p>
+    <%= f.submit %>
+  </p>
 <% end %>

data/test/dummy/config.ru

@@ -1,4 +1,7 @@
-# This file is used by Rack-based servers to start the application.
+require_relative 'config/environment'
 
-require ::File.expand_path('../config/environment',  __FILE__)
-run Dummy::Application
+run Rails.application
+Rails.application.load_server
+
+
+# copied from qvfull - not sure if necessary

data/test/dummy/config/application.rb

@@ -1,21 +1,30 @@
-require File.expand_path('../boot', __FILE__)
+require_relative 'boot'
 
+# copied from https://github.com/janko/rodauth-rails/blob/master/test/rails_app/config/application.rb
+
+# require "rails/all"
 require "active_model/railtie"
 require "active_record/railtie"
-require "action_controller/railtie"
-require "action_view/railtie"
+# require "action_controller/railtie"
+# require "action_view/railtie"
 require "action_mailer/railtie"
+require "rails/test_unit/railtie"
+
+Bundler.require(*Rails.groups)
 
-Bundler.require
 require 'quo_vadis'
 
 module Dummy
   class Application < Rails::Application
-    # Configure the default encoding used in templates for Ruby 1.9.
-    config.encoding = "utf-8"
+    config.load_defaults Rails::VERSION::STRING.to_f
 
-    # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    # config.logger = Logger.new nil
+    config.eager_load = true
+    config.action_dispatch.show_exceptions = false
+    config.action_controller.allow_forgery_protection = false
+
+    config.action_mailer.delivery_method = :test
+    config.action_mailer.default_url_options = { host: 'example.com' }
+    config.action_mailer.delivery_job = 'ActionMailer::MailDeliveryJob'
   end
 end
-

data/test/dummy/config/boot.rb

@@ -1,10 +1,4 @@
-require 'rubygems'
-gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path('../../../Gemfile', __dir__)
 
-if File.exist?(gemfile)
-  ENV['BUNDLE_GEMFILE'] = gemfile
-  require 'bundler'
-  Bundler.setup
-end
-
-$:.unshift File.expand_path('../../../../lib', __FILE__)
+require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+$LOAD_PATH.unshift File.expand_path('../../../lib', __dir__)

data/test/dummy/config/database.yml

@@ -1,22 +1,10 @@
-# SQLite version 3.x
-#   gem install sqlite3-ruby (not necessary on OS X Leopard)
 development:
   adapter: sqlite3
-  database: db/development.sqlite3
   pool: 5
   timeout: 5000
-
-# Warning: The database defined as "test" will be erased and
-# re-generated from your development database when you run "rake".
-# Do not set this db to the same as development or production.
+  database: db/development.sqlite3
 test:
   adapter: sqlite3
-  database: db/test.sqlite3
-  pool: 5
-  timeout: 5000
-
-production:
-  adapter: sqlite3
-  database: db/production.sqlite3
   pool: 5
   timeout: 5000
+  database: db/test.sqlite3

data/test/dummy/config/environment.rb

@@ -1,5 +1,4 @@
-# Load the rails application
-require File.expand_path('../application', __FILE__)
+require_relative 'application'
 
-# Initialize the rails application
 Dummy::Application.initialize!
+# Rails.application.initialize!

data/test/dummy/config/initializers/quo_vadis.rb

@@ -1,84 +1,7 @@
-QuoVadis.configure do |config|
-
-  #
-  # Sign in
-  #
-
-  # The URL to redirect the user to after s/he signs in.
-  # Use a proc if the URL depends on the user.  E.g.:
-  #
-  # config.signed_in_url = Proc.new do |user|
-  #   user.admin? ? :admin : :root
-  # end
-  #
-  # See also `:override_original_url`.
-  config.signed_in_url = :root
-
-  # Whether the `:signed_in_url` should override the URL the user was trying
-  # to reach when they were made to authenticate.
-  config.override_original_url = false
-
-  # Code to run when the user has signed in.  E.g.:
-  #
-  # config.signed_in_hook = Proc.new do |user, controller|
-  #   user.increment! :sign_in_count  # assuming this attribute exists
-  # end
-  config.signed_in_hook = nil
-
-  # Code to run when someone has tried but failed to sign in.  E.g.:
-  #
-  # config.failed_sign_in_hook = Proc.new do |controller|
-  #   Rails.logger.info "Failed sign in from #{controller.request.remote_ip}"
-  # end
-  config.failed_sign_in_hook = nil
-
-  # How long to remember user across browser sessions.
-  # Set to <tt>nil</tt> to never remember user.
-  config.remember_for = 2.weeks
-
-  # Code to run to determine whether the sign-in process is blocked to the user.  E.g.:
-  #
-  # config.blocked = Proc.new do |controller|
-  #   # Assuming a SignIn model with scopes for `failed`, `last_day`, `for_ip`.
-  #   SignIn.failed.last_day.for_ip(controller.request.remote_ip) >= 5
-  # end
-  config.blocked = false
-
-
-  #
-  # Sign out
-  #
-
-  # The URL to redirect the user to after s/he signs out.
-  config.signed_out_url = :root
-
-  # Code to run just before the user has signed out.  E.g.:
-  #
-  # config.signed_out_hook = Proc.new do |user, controller|
-  #   controller.session.reset
-  # end
-  config.signed_out_hook = nil
-
-
-  #
-  # Forgotten-password Mailer
-  #
-
-  # From whom the forgotten-password email should be sent.
-  config.from = 'noreply@example.com'
-
-  # Subject of the forgotten-password email.
-  config.subject_change_password = 'Change your password'
-
-  # Subject of the invitation email.
-  config.subject_invitation = 'Activate your account'
-
-
-  #
-  # Miscellaneous
-  #
-
-  # Layout for the sign-in view.  Pass a string or a symbol.
-  config.layout = 'application'
+QuoVadis.configure do
+  # Cannot use the __Host- prefix in a non-SSL environment.
+  # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
+  cookie_name 'qv'
 
+  session_lifetime 1.week
 end