RubyGems - quo_vadis - Versions diffs - 1.4.2 → 2.0.0 - Mend

quo_vadis 1.4.2 → 2.0.0

Files changed (126) hide show

checksums.yaml +5 -5
data/.gitignore +11 -8
data/CHANGELOG.md +5 -0
data/Gemfile +14 -1
data/Gemfile.lock +178 -0
data/LICENSE.txt +21 -0
data/README.md +435 -127
data/Rakefile +15 -9
data/app/controllers/quo_vadis/confirmations_controller.rb +56 -0
data/app/controllers/quo_vadis/logs_controller.rb +20 -0
data/app/controllers/quo_vadis/password_resets_controller.rb +65 -0
data/app/controllers/quo_vadis/passwords_controller.rb +26 -0
data/app/controllers/quo_vadis/recovery_codes_controller.rb +54 -0
data/app/controllers/quo_vadis/sessions_controller.rb +50 -132
data/app/controllers/quo_vadis/totps_controller.rb +72 -0
data/app/controllers/quo_vadis/twofas_controller.rb +26 -0
data/app/mailers/quo_vadis/mailer.rb +73 -0
data/app/models/quo_vadis/account.rb +59 -0
data/app/models/quo_vadis/account_confirmation_token.rb +17 -0
data/app/models/quo_vadis/log.rb +57 -0
data/app/models/quo_vadis/password.rb +52 -0
data/app/models/quo_vadis/password_reset_token.rb +17 -0
data/app/models/quo_vadis/recovery_code.rb +26 -0
data/app/models/quo_vadis/session.rb +55 -0
data/app/models/quo_vadis/token.rb +42 -0
data/app/models/quo_vadis/totp.rb +56 -0
data/bin/console +15 -0
data/bin/rails +21 -0
data/bin/setup +8 -0
data/config/locales/quo_vadis.en.yml +50 -23
data/config/routes.rb +40 -12
data/db/migrate/202102150904_setup.rb +48 -0
data/lib/generators/quo_vadis/install_generator.rb +4 -23
data/lib/quo_vadis.rb +100 -98
data/lib/quo_vadis/controller.rb +227 -0
data/lib/quo_vadis/crypt.rb +43 -0
data/lib/quo_vadis/current_request_details.rb +11 -0
data/lib/quo_vadis/defaults.rb +18 -0
data/lib/quo_vadis/encrypted_type.rb +17 -0
data/lib/quo_vadis/engine.rb +9 -11
data/lib/quo_vadis/hmacable.rb +26 -0
data/lib/quo_vadis/ip_masking.rb +31 -0
data/lib/quo_vadis/model.rb +86 -0
data/lib/quo_vadis/version.rb +3 -1
data/quo_vadis.gemspec +18 -25
metadata +46 -246
data/app/controllers/controller_mixin.rb +0 -109
data/app/mailers/quo_vadis/notifier.rb +0 -30
data/app/models/model_mixin.rb +0 -128
data/lib/generators/quo_vadis/templates/migration.rb.erb +0 -18
data/lib/generators/quo_vadis/templates/quo_vadis.rb.erb +0 -96
data/test/dummy/.gitignore +0 -2
data/test/dummy/Rakefile +0 -7
data/test/dummy/app/controllers/application_controller.rb +0 -3
data/test/dummy/app/controllers/articles_controller.rb +0 -20
data/test/dummy/app/controllers/users_controller.rb +0 -17
data/test/dummy/app/helpers/application_helper.rb +0 -2
data/test/dummy/app/helpers/articles_helper.rb +0 -2
data/test/dummy/app/models/article.rb +0 -2
data/test/dummy/app/models/person.rb +0 -3
data/test/dummy/app/models/user.rb +0 -3
data/test/dummy/app/views/articles/index.html.erb +0 -1
data/test/dummy/app/views/articles/new.html.erb +0 -11
data/test/dummy/app/views/layouts/application.html.erb +0 -30
data/test/dummy/app/views/layouts/sessions.html.erb +0 -3
data/test/dummy/app/views/quo_vadis/notifier/change_password.text.erb +0 -9
data/test/dummy/app/views/quo_vadis/notifier/invite.text.erb +0 -8
data/test/dummy/app/views/sessions/edit.html.erb +0 -11
data/test/dummy/app/views/sessions/forgotten.html.erb +0 -13
data/test/dummy/app/views/sessions/invite.html.erb +0 -31
data/test/dummy/app/views/sessions/new.html.erb +0 -15
data/test/dummy/app/views/users/new.html.erb +0 -14
data/test/dummy/config.ru +0 -4
data/test/dummy/config/application.rb +0 -21
data/test/dummy/config/boot.rb +0 -10
data/test/dummy/config/database.yml +0 -22
data/test/dummy/config/environment.rb +0 -5
data/test/dummy/config/environments/development.rb +0 -26
data/test/dummy/config/environments/production.rb +0 -49
data/test/dummy/config/environments/test.rb +0 -37
data/test/dummy/config/initializers/backtrace_silencers.rb +0 -7
data/test/dummy/config/initializers/inflections.rb +0 -10
data/test/dummy/config/initializers/mime_types.rb +0 -5
data/test/dummy/config/initializers/quo_vadis.rb +0 -77
data/test/dummy/config/initializers/rack_patch.rb +0 -16
data/test/dummy/config/initializers/secret_token.rb +0 -7
data/test/dummy/config/initializers/session_store.rb +0 -8
data/test/dummy/config/locales/en.yml +0 -5
data/test/dummy/config/locales/quo_vadis.en.yml +0 -21
data/test/dummy/config/routes.rb +0 -5
data/test/dummy/db/migrate/20110124125037_create_users.rb +0 -13
data/test/dummy/db/migrate/20110124131535_create_articles.rb +0 -14
data/test/dummy/db/migrate/20110127094709_add_authentication_to_users.rb +0 -18
data/test/dummy/db/migrate/20111004112209_create_people.rb +0 -13
data/test/dummy/db/migrate/20111004132342_add_authentication_to_people.rb +0 -18
data/test/dummy/db/schema.rb +0 -33
data/test/dummy/public/404.html +0 -26
data/test/dummy/public/422.html +0 -26
data/test/dummy/public/500.html +0 -26
data/test/dummy/public/favicon.ico +0 -0
data/test/dummy/public/javascripts/application.js +0 -2
data/test/dummy/public/javascripts/controls.js +0 -965
data/test/dummy/public/javascripts/dragdrop.js +0 -974
data/test/dummy/public/javascripts/effects.js +0 -1123
data/test/dummy/public/javascripts/prototype.js +0 -6001
data/test/dummy/public/javascripts/rails.js +0 -175
data/test/dummy/public/stylesheets/.gitkeep +0 -0
data/test/dummy/script/rails +0 -6
data/test/integration/activation_test.rb +0 -108
data/test/integration/authenticate_test.rb +0 -39
data/test/integration/blocked_test.rb +0 -23
data/test/integration/config_test.rb +0 -118
data/test/integration/cookie_test.rb +0 -67
data/test/integration/csrf_test.rb +0 -41
data/test/integration/forgotten_test.rb +0 -93
data/test/integration/helper_test.rb +0 -18
data/test/integration/locale_test.rb +0 -197
data/test/integration/navigation_test.rb +0 -7
data/test/integration/sign_in_person_test.rb +0 -26
data/test/integration/sign_in_test.rb +0 -24
data/test/integration/sign_out_test.rb +0 -20
data/test/integration/sign_up_test.rb +0 -21
data/test/quo_vadis_test.rb +0 -7
data/test/support/integration_case.rb +0 -11
data/test/test_helper.rb +0 -86
data/test/unit/user_test.rb +0 -75

data/Rakefile CHANGED Viewed

@@ -1,14 +1,20 @@
-require 'bundler'
-Bundler::GemHelper.install_tasks
+require 'bundler/setup'
-require 'rake/testtask'
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+load 'rails/tasks/statistics.rake'
+require "bundler/gem_tasks"
+require "rake/testtask"
 Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = false
-  t.warning = false
+  t.libs << "test"
+  # t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+  # t.warning = false
 end
-task :default => :test
+task default: :test

data/app/controllers/quo_vadis/confirmations_controller.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module QuoVadis
+  class ConfirmationsController < ApplicationController
+    # holding page
+    def index
+    end
+    # form for requesting new confirmation email
+    def new
+    end
+    # send new confirmation email form submits here
+    def create
+      account = QuoVadis.find_account_by_identifier_in_params params
+      unless account
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.identifier') and return
+      end
+      request_confirmation account.model
+      redirect_to confirmations_path
+    end
+    # emailed confirmation link points here
+    def edit
+      account = AccountConfirmationToken.find_account params[:token]
+      unless account  # expired or already confirmed
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+    end
+    # confirm the account (and login)
+    def update
+      account = AccountConfirmationToken.find_account params[:token]
+      unless account  # expired or already confirmed
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+      account.confirmed!
+      qv.log account, Log::ACCOUNT_CONFIRMATION
+      login account.model, true
+      redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.confirmation.confirmed')
+    end
+  end
+end

data/app/controllers/quo_vadis/logs_controller.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module QuoVadis
+  class LogsController < ApplicationController
+    before_action :require_password_authentication
+    PER_PAGE = 25
+    def index
+      logs = authenticated_model.qv_account.logs
+      page = params[:page] ? params[:page].to_i : 1
+      @logs = logs.new_to_old.page(page, PER_PAGE)
+      @prev_page = page - 1 if page > 1
+      @next_page = page + 1 if logs.count > page * PER_PAGE
+    end
+  end
+end

data/app/controllers/quo_vadis/password_resets_controller.rb ADDED Viewed

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+module QuoVadis
+  class PasswordResetsController < ApplicationController
+    # holding page for after the create action
+    def index
+    end
+    def new
+    end
+    def create
+      flash[:notice] = QuoVadis.translate 'flash.password_reset.create'
+      account = QuoVadis.find_account_by_identifier_in_params params
+      return unless account
+      token = QuoVadis::PasswordResetToken.generate account
+      QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+      redirect_to password_resets_path
+    end
+    # emailed password-reset link points here
+    def edit
+      account = PasswordResetToken.find_account params[:token]
+      unless account  # expired or password already changed
+        redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
+      end
+      @password = QuoVadis::Password.new
+    end
+    # really reset the password
+    def update
+      account = PasswordResetToken.find_account params[:token]
+      unless account  # expired or password already changed
+        redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
+      end
+      @password = account.password
+      if @password.reset params[:password], params[:password_confirmation]
+        # Logout account's sessions because password has changed.
+        # Note model is not logged in here.
+        @password.account.sessions.destroy_all
+        qv.log @password.account, Log::PASSWORD_RESET
+        QuoVadis.notify :password_reset_notification, email: @password.account.model.email
+        login @password.account.model, true
+        redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.password_reset.reset')
+      else
+        render :edit
+      end
+    end
+  end
+end

data/app/controllers/quo_vadis/passwords_controller.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+module QuoVadis
+  class PasswordsController < ApplicationController
+    before_action :require_authentication
+    def edit
+      @password = QuoVadis::Password.new
+    end
+    def update
+      @password = authenticated_model.qv_account.password
+      if @password.change params[:password], params[:new_password], params[:new_password_confirmation]
+        qv.log authenticated_model.qv_account, Log::PASSWORD_CHANGE
+        QuoVadis.notify :password_change_notification, email: authenticated_model.email
+        qv.logout_other_sessions
+        qv.replace_session
+        redirect_to qv.path_after_password_change, notice: QuoVadis.translate('flash.password.update')
+      else
+        render :edit
+      end
+    end
+  end
+end

data/app/controllers/quo_vadis/recovery_codes_controller.rb ADDED Viewed

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+module QuoVadis
+  class RecoveryCodesController < ApplicationController
+    before_action :require_password_authentication
+    def index
+      @codes = flash[:recovery_codes]
+      @recovery_code_count = account.recovery_codes.count
+    end
+    def challenge
+    end
+    def authenticate
+      if account.recovery_codes.detect { |rc| rc.authenticate_code params[:code] }
+        qv.log account, Log::RECOVERY_CODE_SUCCESS
+        qv.replace_session
+        qv.session_authenticated_with_second_factor
+        reset_totp
+        redirect_to qv.path_after_authentication,
+          notice: QuoVadis.translate('flash.recovery_code.success',
+                                     count: account.recovery_codes.count)
+      else
+        qv.log account, Log::RECOVERY_CODE_FAILURE
+        flash.now[:alert] = QuoVadis.translate('flash.recovery_code.unverified')
+        render :challenge
+      end
+    end
+    def generate
+      qv.log account, Log::RECOVERY_CODE_GENERATE
+      QuoVadis.notify :recovery_codes_generation_notification, email: authenticated_model.email
+      account.recovery_codes.delete_all
+      flash[:recovery_codes] = account.generate_recovery_codes
+      redirect_to quo_vadis.recovery_codes_path
+    end
+    private
+    def account
+      authenticated_model.qv_account
+    end
+    def reset_totp
+      account.totp&.destroy
+    end
+  end
+end

data/app/controllers/quo_vadis/sessions_controller.rb CHANGED Viewed

@@ -1,153 +1,71 @@
-class QuoVadis::SessionsController < ApplicationController
-  skip_filter :authenticate, :except => [:destroy]
-  layout :quo_vadis_layout
+# frozen_string_literal: true
-  # GET sign_in_path
-  def new
-    render 'sessions/new'
-  end
+module QuoVadis
+  class SessionsController < ApplicationController
+    # Don't require authentication for the :destroy action so that someone
+    # who has logged in via password but not completed 2fa can still log out.
+    before_action :require_authentication, except: [:new, :create, :destroy]
-  # POST sign_in_path
-  def create
-    if blocked?
-      flash_if_present :alert, 'quo_vadis.flash.sign_in.blocked', :now
-      render 'sessions/new'
-    elsif user = QuoVadis.model_class.authenticate(params[:username], params[:password])
-      flash_if_present :notice, 'quo_vadis.flash.sign_in.after'
-      sign_in user
-    else
-      QuoVadis.failed_sign_in_hook self
-      flash_if_present :alert, 'quo_vadis.flash.sign_in.failed', :now
-      render 'sessions/new'
+    def index
+      @qv_session = qv.session
+      @qv_sessions = @qv_session.account.sessions
     end
-  end
-  # GET sign_out_path
-  def destroy
-    QuoVadis.signed_out_hook send(:"current_#{QuoVadis.model_instance_name}"), self
-    self.send :"current_#{QuoVadis.model_instance_name}=", nil
-    flash_if_present :notice, 'quo_vadis.flash.sign_out'
-    redirect_to QuoVadis.signed_out_url(self)
-  end
-  # GET forgotten_sign_in_path
-  # POST forgotten_sign_in_path
-  def forgotten
-    if request.get?
-      render 'sessions/forgotten'
-    elsif request.post?
-      if params[:username].present? &&
-          (user = QuoVadis.model_class.where(:username => params[:username]).first)
-        if user.email.present?
-          user.generate_token!
-          QuoVadis::Notifier.change_password(user).deliver
-          flash_if_present :notice, 'quo_vadis.flash.forgotten.sent_email'
-          redirect_to :root
-        else
-          flash_if_present :alert, 'quo_vadis.flash.forgotten.no_email', :now
-          render 'sessions/forgotten'
-        end
-      else
-        flash_if_present :alert, 'quo_vadis.flash.forgotten.unknown', :now
-        render 'sessions/forgotten'
-      end
+    def new
     end
-  end
-  # GET change_password_path /sign-in/change-password/:token
-  def edit
-    if QuoVadis.model_class.valid_token(params[:token]).first
-      render 'sessions/edit'
-    else
-      invalid_token :forgotten
-    end
-  end
-  # PUT change_password_path /sign-in/change-password/:token
-  def update
-    if (user = QuoVadis.model_class.valid_token(params[:token]).first)
-      if params[:password].present?
-        user.password = params[:password]
-        if user.save
-          user.clear_token
-          flash_if_present :notice, 'quo_vadis.flash.forgotten.password_changed'
-          sign_in user
-        else
-          render 'sessions/edit'
-        end
-      else
-        render 'sessions/edit'
+    def create
+      account = QuoVadis.find_account_by_identifier_in_params params
+      unless account
+        qv.log nil, Log::LOGIN_UNKNOWN
+        flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
+        render :new
+        return
       end
-    else
-      invalid_token :forgotten
-    end
-  end
-  # GET invitation_path /sign-in/invite/:token
-  def invite
-    if (@user = QuoVadis.model_class.valid_token(params[:token]).first)
-      # When we create a user who must activate their account, we give them
-      # a random username and password.  However we want to treat them as if
-      # they weren't set at all.
-      @user.username = nil
-      render 'sessions/invite'
-    else
-      invalid_token :activation
-    end
-  end
+      unless account.password.authenticate params[:password]
+        qv.log account, Log::LOGIN_FAILURE
+        flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
+        render :new
+        return
+      end
-  # POST activation_path /sign-in/accept/:token
-  def accept
-    if (@user = QuoVadis.model_class.valid_token(params[:token]).first)
-      @user.username, @user.password = params[:username], params[:password]
-      # When we create a user who must activate their account, we give them
-      # a random username and password.  However we want to treat them as if
-      # they weren't set at all.
-      @user.password_digest = nil if params[:password].blank?
-      if @user.save
-        @user.clear_token
-        flash_if_present :notice, 'quo_vadis.flash.activation.accepted'
-        sign_in @user
-      else
-        flash_if_present :alert, 'quo_vadis.flash.activation.invalid_credentials', :now
-        render 'sessions/invite'
+      if QuoVadis.accounts_require_confirmation && !account.confirmed?
+        redirect_to new_confirmation_path, notice: QuoVadis.translate('flash.confirmation.required')
+        return
       end
-    else
-      invalid_token :activation
-    end
-  end
-  # Invites a user to set up their sign-in credentials.
-  def invite_to_activate(user, data = {})
-    return false if user.email.blank?
-    user.generate_token!
-    QuoVadis::Notifier.invite(user, data).deliver
-    true
-  end
-  hide_action :send_invitation
+      # no params[:remember]      => use QuoVadis.session_lifetime
+      #    params[:remember] == 0 => use :session
+      #    params[:remember] == 1 => use QuoVadis.session_lifetime
+      browser_session = params[:remember] == '0'
+      flash[:notice] = QuoVadis.translate 'flash.login.success'
-  private
+      login account.model, browser_session
-  def invalid_token(workflow) # :nodoc:
-    if workflow == :activation
-      flash_if_present :alert, 'quo_vadis.flash.activation.invalid_token'
-      redirect_to root_path
-    else
-      flash_if_present :alert, 'quo_vadis.flash.forgotten.invalid_token'
-      redirect_to forgotten_sign_in_url
+      redirect_to qv.path_after_authentication
     end
-  end
-  def quo_vadis_layout # :nodoc:
-    QuoVadis.layout
-  end
-  def flash_if_present(key, i18n_key, now = false)
-    if now
-      flash.now[key] = t(i18n_key) if t(i18n_key).present?
-    else
-      flash[key] = t(i18n_key) if t(i18n_key).present?
+    def destroy
+      if params[:id]  # other session
+        current_qv_session = qv.session
+        current_qv_session.account.sessions.destroy params[:id]
+        qv.log current_qv_session.account, Log::LOGOUT_OTHER
+        flash[:notice] = QuoVadis.translate 'flash.logout.other'
+        redirect_to action: :index
+      else  # this session
+        qv.log authenticated_model.qv_account, Log::LOGOUT
+        qv.logout
+        flash[:notice] = QuoVadis.translate 'flash.logout.self'
+        redirect_to main_app.root_path
+      end
     end
-  end
+  end
 end