quo_vadis 1.4.0 → 2.0.2

data/lib/quo_vadis/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module QuoVadis
-  VERSION = '1.4.0'
+  VERSION = '2.0.2'
 end

data/quo_vadis.gemspec

@@ -1,31 +1,26 @@
-# -*- encoding: utf-8 -*-
-$:.push File.expand_path('../lib', __FILE__)
-require 'quo_vadis/version'
+# frozen_string_literal: true
 
-Gem::Specification.new do |s|
-  s.name        = 'quo_vadis'
-  s.version     = QuoVadis::VERSION
-  s.platform    = Gem::Platform::RUBY
-  s.authors     = ['Andy Stewart']
-  s.email       = ['boss@airbladesoftware.com']
-  s.homepage    = 'https://github.com/airblade/quo_vadis'
-  s.summary     = 'Simple username/password authentication for Rails 3.'
-  s.description = s.summary
+require_relative 'lib/quo_vadis/version'
 
-  s.rubyforge_project = 'quo_vadis'
+Gem::Specification.new do |spec|
+  spec.name          = 'quo_vadis'
+  spec.version       = QuoVadis::VERSION
+  spec.authors       = ['Andy Stewart']
+  spec.email         = ['boss@airbladesoftware.com']
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ['lib']
+  spec.summary       = 'Multifactor authentication for Rails 6.'
+  spec.homepage      = 'https://github.com/airblade/quo_vadis'
+  spec.license       = 'MIT'
 
-  s.add_dependency 'rails',       '> 3.0.4', '< 5'
-  s.add_dependency 'bcrypt-ruby', '~> 3.0.0'
+  # spec.required_ruby_version = Gem::Requirement.new('>= 2.4.0')
 
-  # s.add_development_dependency 'rails', '~> 3.0.4'  # so we can test CSRF protection
-  s.add_development_dependency 'sqlite3'
-  s.add_development_dependency 'capybara', '~>1.1'
-  s.add_development_dependency 'launchy'
-  s.add_development_dependency 'rake'
-  s.add_development_dependency 'test-unit', '~> 3.0'
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0")
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'rails',   '>= 6'
+  spec.add_dependency 'bcrypt',  '~> 3.1.7'
+  spec.add_dependency 'rotp',    '>= 6'
+  spec.add_dependency 'rqrcode', '~> 2.0'
 end

data/test/dummy/README.markdown

@@ -0,0 +1 @@
+Only authenticated users can view articles.

data/test/dummy/Rakefile

@@ -1,7 +1,3 @@
-# Add your own tasks in files placed in lib/tasks ending in .rake,
-# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+require_relative 'config/application'
 
-require File.expand_path('../config/application', __FILE__)
-require 'rake'
-
-Dummy::Application.load_tasks
+Rails.application.load_tasks

data/test/dummy/app/controllers/application_controller.rb

@@ -1,3 +1,2 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery
 end

data/test/dummy/app/controllers/articles_controller.rb

@@ -1,20 +1,17 @@
 class ArticlesController < ApplicationController
-  before_filter :authenticate, :except => [:index, :show]
+  before_action :require_authentication, except: :index
+  before_action :require_two_factor_authentication, only: :very_secret
 
   def index
-    @articles = Article.all
   end
 
-  def new
-    @article = Article.new
+  def secret
   end
 
-  def create
-    @article = Article.new params[:article]
-    if @article.save
-      redirect_to :action => 'index'
-    else
-      render 'new'
-    end
+  def also_secret
   end
+
+  def very_secret
+  end
+
 end

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -0,0 +1,42 @@
+# To test sign-ups with confirmation (activation / verification)
+class SignUpsController < ApplicationController
+
+  around_action :toggle_confirmation
+
+  def new
+    @user = User.new
+  end
+
+
+  def create
+    @user = User.new user_params
+    if @user.save
+      if QuoVadis.accounts_require_confirmation
+        request_confirmation @user
+        redirect_to quo_vadis.confirmations_path
+      else
+        redirect_to articles_path
+      end
+    else
+      render :new
+    end
+  end
+
+  def show
+    @user = User.find params[:id]
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:name, :email, :password, :password_confirmation)
+  end
+
+  def toggle_confirmation
+    QuoVadis.accounts_require_confirmation true
+    yield
+  ensure
+    QuoVadis.accounts_require_confirmation false
+  end
+
+end

data/test/dummy/app/controllers/users_controller.rb

@@ -1,17 +1,25 @@
-class UsersController < ActionController::Base
+# To test creating users without activation
+class UsersController < ApplicationController
 
   def new
     @user = User.new
   end
 
   def create
-    @user = User.new params[:user]
+    @user = User.new user_params
     if @user.save
-      flash[:notice] = 'You have signed up!'
-      sign_in @user  # <-- Quo Vadis sign-in hook
+      # NOTE to login the user here, do this:
+      # login @user, true
+      redirect_to articles_path
     else
-      render 'new'
+      render :new
     end
   end
 
+  private
+
+  def user_params
+    params.require(:user).permit(:name, :email, :password, :password_confirmation)
+  end
+
 end

data/test/dummy/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/test/dummy/app/models/article.rb

@@ -1,2 +1,3 @@
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
+  validates :title, presence: true
 end

data/test/dummy/app/models/person.rb

@@ -1,3 +1,6 @@
-class Person < ActiveRecord::Base
-  authenticates
+class Person < ApplicationRecord
+  validates :username, presence: true, uniqueness: {case_sensitive: false}
+  validates :email, presence: true, uniqueness: {case_sensitive: false}
+
+  authenticates identifier: :username
 end

data/test/dummy/app/models/user.rb

@@ -1,3 +1,6 @@
-class User < ActiveRecord::Base
+class User < ApplicationRecord
+  validates :name, presence: true
+  validates :email, presence: true, uniqueness: {case_sensitive: false}
+
   authenticates
 end

data/test/dummy/app/views/articles/also_secret.html.erb

@@ -0,0 +1 @@
+<p>Also-secret Articles</p>

data/test/dummy/app/views/articles/index.html.erb

@@ -1 +1 @@
-<h1>Articles</h1>
+<p>Public Articles</p>

data/test/dummy/app/views/articles/secret.html.erb

@@ -0,0 +1 @@
+<p>Secret Articles</p>

data/test/dummy/app/views/articles/very_secret.html.erb

@@ -0,0 +1,2 @@
+<p>Very Secret Articles</p>
+

data/test/dummy/app/views/layouts/application.html.erb

@@ -1,30 +1,46 @@
-<!DOCTYPE html>
 <html>
-<head>
-  <title>Dummy</title>
-  <%= csrf_meta_tag %>
-</head>
-<body>
-
-  <div id='topnav'>
-    <% if authenticated? %>
-      You are signed in as
-      <% if defined?(current_user) %>
-        <%= current_user.name %>.
-      <% elsif defined?(current_person) %>
-        <%= current_person.name %>.
+  <head>
+    <meta charset="utf-8">
+    <%= csrf_meta_tags %>
+    <style>
+      nav {
+        border-bottom: 1px solid #ddd;
+        padding: 10px 0;
+      }
+      nav span {
+        margin: 0 5px;
+      }
+      main {
+        margin-top: 20px;
+      }
+    </style>
+  </head>
+  <body>
+    <nav>
+      <% if logged_in? %>
+        <span>Logged in as: <%= authenticated_model.email %></span>
+        <span><%= link_to 'Sessions', quo_vadis.sessions_path %></span>
+        <span><%= link_to 'Change password', quo_vadis.edit_password_path %></span>
+        <span><%= link_to '2FA', quo_vadis.twofa_path %></span>
+        <span><%= link_to 'Logs', quo_vadis.logs_path %></span>
+        <span><%= button_to 'Log out', quo_vadis.logout_path, method: :delete, form: {style: 'display:inline-block'} %></span>
+      <% else %>
+        <span><%= link_to 'Add user (without confirmation)', main_app.new_user_path %></span>
+        <span><%= link_to 'Sign up (with confirmation)', main_app.new_sign_up_path %></span>
+        <span><%= link_to 'Log in', quo_vadis.login_path %></span>
       <% end %>
-      <%= link_to 'Sign out', sign_out_path %>
-    <% else %>
-      <%= link_to 'Sign in', sign_in_path %>
-    <% end %>
-  </div>
-
-  <% flash.each do |key, value| %>
-    <div class='flash <%= key %>'><%= value %></div>
-  <% end %>
+    </nav>
 
-<%= yield %>
+    <main>
+      <section>
+        <% %w[notice alert].select { |k| flash.key? k }.each do |k| %>
+          <div class="flash flash-<%= k %>">
+            <%= flash[k] %>
+          </div>
+        <% end %>
+      </section>
 
-</body>
+      <%= yield %>
+    </main>
+  </body>
 </html>

data/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb

@@ -0,0 +1,10 @@
+<h1>Confirm account</h1>
+
+<%= form_with url: confirmation_path(params[:token]), method: :put do |f| %>
+
+  <p>
+    <label>Please click the button to confirm your account:</label>
+    <%= f.submit %>
+  </p>
+
+<% end %>

data/test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation: change email</h1>
+
+<p>Please update your email address.</p>
+
+<%= form_with url: update_email_confirmations_path, method: :put do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, value: @email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit 'Update my email address and send me a new confirmation email' %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/confirmations/index.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation</h1>
+
+<% if @account %>
+  <p>We have sent an email to <%= @account.model.email %>.</p>
+
+  <p>Wrong address?  <%= link_to 'Change it', edit_email_confirmations_path %>.</p>
+
+  <p>Didn't receive it?  <%= button_to 'Get another one', resend_confirmations_path %></p>
+
+<% else %>
+  <p>We have sent an email to you.</p>
+
+  <p><%= link_to 'Request a new email', new_confirmation_path %></p>
+<% end %>

data/test/dummy/app/views/quo_vadis/confirmations/new.html.erb

@@ -0,0 +1,16 @@
+<h1>Resend confirmation instructions</h1>
+
+<%# Note that in this example the User identifier is :email. %>
+
+<p>If you didn't receive the confirmation email, please enter your email address and we'll send you another one.</p>
+
+<%= form_with url: confirmations_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/logs/index.html.erb

@@ -0,0 +1,28 @@
+<h1>Logs</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>Action</th>
+      <th>IP</th>
+      <th>Metadata</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @logs.each do |log| %>
+      <tr>
+        <td><%= log.action %></td>
+        <td><%= log.ip %></td>
+        <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<% if @prev_page %>
+  <%= link_to 'Newer', logs_path(page: @prev_page) %>
+<% end %>
+
+<% if @next_page %>
+  <%= link_to 'Older', logs_path(page: @next_page) %>
+<% end %>

data/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb

@@ -0,0 +1,4 @@
+You can confirm your account here:
+
+<%= @url %>
+

data/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your email address was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your <%= @identifier %> was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was reset just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb

@@ -0,0 +1,8 @@
+Recovery codes for two-factor authentication were generated for your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.