quo_vadis 2.0.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ed3f9c506465f26124edf6207abe8bd40d8a87587d779c9789a882eb3894153
-  data.tar.gz: 9fb0294a48aef63132e359c97529e9547d3f6e6425ebcd734b2eff08a385fe2f
+  metadata.gz: 5b81cb83f9cd0b6bb6e9af4015dba59b5cef0f5c3fccd5a82ee6d7e1bbc5768a
+  data.tar.gz: 8a9f5f0c013ec89de6849e9ddb3393fee46b84a2d08b20e606126cf97bba8032
 SHA512:
-  metadata.gz: a40cb588843f7e78d186e3203ac082e7238ceb21ced56393b26822b353797f214cd4d0bc77242a1d51d4e197a6ca95f2d0b6eebd97a8f730bda48eb2f86c9c3b
-  data.tar.gz: 826424470205327161484deff2aa1a031fd7426bf189c493488a9223fbe542b32ea47c89faa6b732fc3fe9d02da6bcd59cd7d31d042b9a30b775e3fae9229c34
+  metadata.gz: a7b5e766f22e55e5bc269d00e6fb9132cc54ba2523a72996d0d7da478dbf0662764d29265c591f5847d5f2cfaeaca1e78fb4d48fb8fecb24af0bee9e9c2047e2
+  data.tar.gz: 47bf8bba82c90f3b7527be6a316ec8f9a4b229077a6846454abecebd6d2ae29910f7e416635d9cc1d54e3b99fe87d4c7d0ca871741907f1987d1ee42bf79994b

data/CHANGELOG.md

@@ -1,6 +1,37 @@
 # CHANGELOG
 
 
+## HEAD
+
+
+## 2.1.1 (8 July 2021)
+
+* Remove unnecessary route names.
+* Add user revocation.
+* Ensure password is only updated via #change or #reset.
+* Move views into gem's app/views/ directory.
+
+
+## 2.1.0 (25 June 2021)
+
+* Do not require password on create.
+* Fix incorrect assignment of built association.
+* Add i18n translations for log actions.
+* Use model instance in change-password form.
+* Ensure password-reset flash notice not displayed when emailed link is clicked.
+* Use model instance in password-reset form.
+* Give no indication of unknown account on request of password reset email.
+* Use 422 status code for form submission error responses.
+* Make default cookie name depend on Rails environment.
+
+
+## 2.0.2 (24 May 2021)
+
+* Account confirmation: enable updating of email address.
+* Account confirmation: enable direct resending of email.
+* Log unknown identifier in metadata.
+
+
 ## 2.0.1 (18 May 2021)
 
 * Remove Gemfile.lock from repo.

data/README.md

@@ -86,9 +86,9 @@ class Person < ApplicationRecord
 end
 ```
 
-When __creating__ a model instance, include a `:password` attribute and, optionally, `:password_confirmation` attribute.
+You can create and update your models as before.  When you want to set a password for the first time, just include `:password` and, optionally, `:password_confirmation` in the attributes to `#create` or `#update`.
 
-When __updating__ a model instance, do not include a `:password` attribute.  To change someone's password, use the Change Password feature (see below).
+If you want to change an existing password, use the Change Password feature (see below).  If you update a model (that already has a password) with a `:password` attribute, it will raise a `QuoVadis::PasswordExistsError`.
 
 The minimum password length is configured by `QuoVadis.password_minimum_length` (12 by default).
 
@@ -232,7 +232,7 @@ class UsersController < ApplicationController
     @user = User.new user_params
     if @user.save
       request_confirmation @user
-      redirect_to qv.confirmations_path  # a page where you advise the user to check their email
+      redirect_to quo_vadis.confirmations_path  # a page where you advise the user to check their email
     else
       # ...
     end
@@ -246,17 +246,19 @@ class UsersController < ApplicationController
 end
 ```
 
-QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
+QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
 
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
 
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
 
-It's a good idea for that page to link to `new_confirmation_path` where the user can request another email if need be.
+On that page you can show the user the address the email was sent to, enable them to update their email address if they make a mistake on the sign-up form, and provide a button to resend another email directly.  If the sign-up occurred in a different browser session, you can instead link to `new_confirmation_path` where the user can request another email if need be.
 
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
 
-Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
+Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
+
+Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
 
 After the user has confirmed their account, they will be logged in and redirected to the first of these that exists:
 
@@ -270,7 +272,7 @@ So add whichever works best for you.
 
 Use `before_action :require_password_authentication` or `before_action :require_authentication` in your controllers.
 
-Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 
 If you include a `remember` checkbox in your login form:
 
@@ -290,7 +292,7 @@ After authenticating the user will be redirected to the first of these that exis
 
 If you do not want 2FA at all, set `QuoVadis.two_factor_authentication_mandatory false` in your configuration and skip the rest of this section.
 
-If you do want 2FA, you can choose whether it is optional or mandatory for your users by setting `QuoVadis.two_factor_authentication_mandatory <true|false>` in your configuration.
+If you do want 2FA, you can choose whether it is mandatory or optional for your users by setting `QuoVadis.two_factor_authentication_mandatory <true|false>` in your configuration.
 
 Use `before_action :require_two_factor_authentication` in your controllers (which supersedes `:require_password_authentication`).  This will require the user, after authenticating with their password, to authenticate with 2FA – when 2FA is mandatory, or when it is optional and the user has set up 2FA.
 
@@ -310,22 +312,22 @@ In your views, have a link where users can manage their 2FA:
 link_to '2FA', quo_vadis.twofa_path
 ```
 
-Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
+Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
 
-Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
+Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
 
-Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
+Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
 
-Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
+Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
 
-Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
+Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
 
 
 ### Change password
 
 To change their password, the user must provide their current one as well as the new one.
 
-Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
+Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
 
 After the password has been changed, the user is redirected to the first of:
 
@@ -345,17 +347,17 @@ The user can reset their password if they lose it.  The flow is:
 4. [Password-reset confirmation page] The user enters their new password and clicks a button.
 5. QuoVadis sets the user's password and logs them in.
 
-First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
 
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
 
 It's a good idea for that page to link to `new_password_reset_path` where the user can request another email if need be.
 
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
+Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
 
-Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another password-reset email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
 
 After the user has reset their password, they will be logged in and redirected to the first of these that exists:
 
@@ -369,14 +371,14 @@ A logged-in session lasts for either the browser session or `QuoVadis.session_li
 
 A user can view their active sessions and log out of any of them.
 
-Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
+Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
 
 
 ### Audit trail
 
 An audit trail is kept of authentication events.  You can see the full list in the [`Log`](https://github.com/airblade/quo_vadis/blob/master/app/models/quo_vadis/log.rb) class.
 
-Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
+Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
 
 
 ### Notifications
@@ -385,18 +387,23 @@ QuoVadis notifies users by email whenever their authentication details are chang
 
 Write the corresponding mailer views:
 
-- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb))
-- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
-- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb))
-- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
-- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
-- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
-- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
-- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
+- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/email_change_notification.text.erb))
+- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
+- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_change_notification.text.erb))
+- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
+- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
+- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
+- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
+- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
 
 They must be in `app/views/quo_vadis/mailer/NAME.{text,html}.erb`.
 
 
+### Revocation
+
+You can revoke a user's access by calling `#revoke_authentication_credentials` on the model instance.  This deletes the user's password, TOTP credential, recovery codes, and active sessions.  Their authentication logs, or audit trail, are preserved.
+
+
 ## Configuration
 
 This is QuoVadis' [default configuration](https://github.com/airblade/quo_vadis/blob/master/lib/quo_vadis/defaults.rb):
@@ -405,7 +412,7 @@ This is QuoVadis' [default configuration](https://github.com/airblade/quo_vadis/
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime
@@ -436,7 +443,7 @@ Masking means setting the last octet (IPv4) or the last 80 bits (IPv6) to 0.
 
 __`cookie_name`__ (string)
 
-The name of the cookie QuoVadis uses to store the session identifier.  The `__Host-` prefix is [recommended](https://developer.mozilla.org/en-US/docs/Web/API/document/cookie).
+The name of the cookie QuoVadis uses to store the session identifier.  The `__Host-` prefix is [recommended](https://developer.mozilla.org/en-US/docs/Web/API/document/cookie) in an SSL environment (but cannot be used in a non-SSL environment).
 
 __`session_lifetime`__ (`:session` | `ActiveSupport::Duration` | integer)
 
@@ -488,13 +495,32 @@ For example, the default login path is at `/login`.  If you set `mount_point` to
 
 #### Rails configuration
 
+__Mailer URLs__
+
 You must also configure the mailer host so URLs are generated correctly in emails:
 
 ```ruby
 config.action_mailer.default_url_options: { host: 'example.com' }
 ```
 
-Finally, you can set up your post-authentication and post-password-change routes.  If you don't, you must have a root route.  For example:
+__Layouts__
+
+You can specify QuoVadis's controllers' layouts in a `#to_prepare` block in your application configuration.  For example:
+
+```ruby
+# config/application.rb
+module YourApp
+  class Application < Rails::Application
+    config.to_prepare do
+      QuoVadis::ConfirmationsController.layout 'your_layout'
+    end
+  end
+end
+```
+
+__Routes__
+
+You can set up your post-authentication and post-password-change routes.  If you don't, you must have a root route.  For example:
 
 ```ruby
 # config/routes.rb

data/app/controllers/quo_vadis/confirmations_controller.rb

@@ -5,6 +5,7 @@ module QuoVadis
 
     # holding page
     def index
+      @account = find_pending_account_from_session
     end
 
 
@@ -45,12 +46,57 @@ module QuoVadis
       end
 
       account.confirmed!
-
       qv.log account, Log::ACCOUNT_CONFIRMATION
 
+      session.delete :account_pending_confirmation
+
       login account.model, true
       redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.confirmation.confirmed')
     end
 
+
+    def edit_email
+      account = find_pending_account_from_session
+
+      unless account
+        redirect_to confirmations_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+
+      @email = account.model.email
+    end
+
+
+    def update_email
+      account = find_pending_account_from_session
+
+      unless account
+        redirect_to confirmations_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+
+      account.model.update email: params[:email]
+
+      request_confirmation account.model
+      redirect_to confirmations_path
+    end
+
+
+    def resend
+      account = find_pending_account_from_session
+
+      unless account
+        redirect_to confirmations_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+
+      request_confirmation account.model
+      redirect_to confirmations_path
+    end
+
+
+    private
+
+    def find_pending_account_from_session
+      Account.find(session[:account_pending_confirmation]) if session[:account_pending_confirmation]
+    end
+
   end
 end

data/app/controllers/quo_vadis/password_resets_controller.rb

@@ -13,15 +13,14 @@ module QuoVadis
 
 
     def create
-      flash[:notice] = QuoVadis.translate 'flash.password_reset.create'
-
       account = QuoVadis.find_account_by_identifier_in_params params
-      return unless account
 
-      token = QuoVadis::PasswordResetToken.generate account
-      QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+      if account
+        token = QuoVadis::PasswordResetToken.generate account
+        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.password_reset_url(token)
+      end
 
-      redirect_to password_resets_path
+      redirect_to password_resets_path, notice: QuoVadis.translate('flash.password_reset.create')
     end
 
 
@@ -33,6 +32,10 @@ module QuoVadis
         redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
       end
 
+      # Ensure the flash notice set in the create action does not appear when the user clicks the
+      # link in the email they were sent.
+      flash.delete :notice
+
       @password = QuoVadis::Password.new
     end
 
@@ -46,7 +49,7 @@ module QuoVadis
       end
 
       @password = account.password
-      if @password.reset params[:password], params[:password_confirmation]
+      if @password.reset params[:password][:password], params[:password][:password_confirmation]
         # Logout account's sessions because password has changed.
         # Note model is not logged in here.
         @password.account.sessions.destroy_all
@@ -57,7 +60,7 @@ module QuoVadis
         login @password.account.model, true
         redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.password_reset.reset')
       else
-        render :edit
+        render :edit, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/passwords_controller.rb

@@ -11,14 +11,16 @@ module QuoVadis
 
     def update
       @password = authenticated_model.qv_account.password
-      if @password.change params[:password], params[:new_password], params[:new_password_confirmation]
+      if @password.change(params[:password][:password],
+                          params[:password][:new_password],
+                          params[:password][:new_password_confirmation])
         qv.log authenticated_model.qv_account, Log::PASSWORD_CHANGE
         QuoVadis.notify :password_change_notification, email: authenticated_model.email
         qv.logout_other_sessions
         qv.replace_session
         redirect_to qv.path_after_password_change, notice: QuoVadis.translate('flash.password.update')
       else
-        render :edit
+        render :edit, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/recovery_codes_controller.rb

@@ -27,7 +27,7 @@ module QuoVadis
       else
         qv.log account, Log::RECOVERY_CODE_FAILURE
         flash.now[:alert] = QuoVadis.translate('flash.recovery_code.unverified')
-        render :challenge
+        render :challenge, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -21,16 +21,16 @@ module QuoVadis
       account = QuoVadis.find_account_by_identifier_in_params params
 
       unless account
-        qv.log nil, Log::LOGIN_UNKNOWN
+        qv.log nil, Log::LOGIN_UNKNOWN, identifier: QuoVadis.identifier_value_in_params(params)
         flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
-        render :new
+        render :new, status: :unprocessable_entity
         return
       end
 
       unless account.password.authenticate params[:password]
         qv.log account, Log::LOGIN_FAILURE
         flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
-        render :new
+        render :new, status: :unprocessable_entity
         return
       end
 

data/app/controllers/quo_vadis/totps_controller.rb

@@ -53,7 +53,7 @@ module QuoVadis
           qv.log authenticated_model.qv_account, Log::TOTP_FAILURE
         end
         flash.now[:alert] = QuoVadis.translate('flash.totp.unverified')
-        render :challenge
+        render :challenge, status: :unprocessable_entity
       end
     end
 

data/app/models/quo_vadis/account.rb

@@ -32,9 +32,23 @@ module QuoVadis
 
     # Returns an array of the recovery codes' codes.
     def generate_recovery_codes
+      recovery_codes.delete_all
       Array.new(MAX_NUMBER_OF_RECOVERY_CODES) { recovery_codes.create }.map &:code
     end
 
+    def revoke
+      password&.destroy
+      totp&.destroy
+      recovery_codes.destroy_all
+      sessions.destroy_all
+
+      Log.create(
+        account: self,
+        action: Log::REVOKE,
+        ip: (CurrentRequestDetails.ip || '')
+      )
+    end
+
     private
 
     def log_identifier_change

data/app/models/quo_vadis/log.rb

@@ -21,7 +21,8 @@ module QuoVadis
     PASSWORD_RESET         = 'password.reset'
     ACCOUNT_CONFIRMATION   = 'account.confirmation'
     LOGOUT_OTHER           = 'logout.other'
-    LOGOUT                 = 'logout'
+    LOGOUT                 = 'logout.self'
+    REVOKE                 = 'revoke'
 
     ACTIONS = [
       LOGIN_SUCCESS,
@@ -41,7 +42,8 @@ module QuoVadis
       PASSWORD_RESET,
       ACCOUNT_CONFIRMATION,
       LOGOUT_OTHER,
-      LOGOUT
+      LOGOUT,
+      REVOKE
     ]
 
     belongs_to :account, optional: true  # optional only for LOGIN_UNKNOWN

data/app/models/quo_vadis/password.rb

@@ -7,6 +7,7 @@ module QuoVadis
     has_secure_password
 
     validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
+    validate :password_updated_legitimately, on: :update
 
     attr_accessor :new_password
 
@@ -48,5 +49,20 @@ module QuoVadis
       save
     end
 
+    private
+
+    def password_updated_legitimately
+      return unless password_digest_changed?
+
+      unless change_or_reset_called?
+        errors.add :password, 'must be updated via #change or #reset'
+      end
+    end
+
+    def change_or_reset_called?
+      caller_locations.any? { |loc|
+        ['change', 'reset'].include?(loc.label) && Pathname.new(loc.path).basename.to_s == 'password.rb'
+      }
+    end
   end
 end

data/app/views/quo_vadis/confirmations/edit_email.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation: change email</h1>
+
+<p>Please update your email address.</p>
+
+<%= form_with url: update_email_confirmations_path, method: :put do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, value: @email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit 'Update my email address and send me a new confirmation email' %>
+  </p>
+<% end %>

data/app/views/quo_vadis/confirmations/index.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation</h1>
+
+<% if @account %>
+  <p>We have sent an email to <%= @account.model.email %>.</p>
+
+  <p>Wrong address?  <%= link_to 'Change it', edit_email_confirmations_path %>.</p>
+
+  <p>Didn't receive it?  <%= button_to 'Get another one', resend_confirmations_path %></p>
+
+<% else %>
+  <p>We have sent an email to you.</p>
+
+  <p><%= link_to 'Request a new email', new_confirmation_path %></p>
+<% end %>

data/{test/dummy/app → app}/views/quo_vadis/logs/index.html.erb

@@ -3,6 +3,7 @@
 <table>
   <thead>
     <tr>
+      <th>Timestamp</th>
       <th>Action</th>
       <th>IP</th>
       <th>Metadata</th>
@@ -11,7 +12,8 @@
   <tbody>
     <% @logs.each do |log| %>
       <tr>
-        <td><%= log.action %></td>
+        <td><%= log.created_at %></td>
+        <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
         <td><%= log.ip %></td>
         <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
       </tr>

data/{test/dummy/app → app}/views/quo_vadis/password_resets/edit.html.erb

@@ -1,14 +1,6 @@
 <h1>Reset password</h1>
 
-<% if @password.errors.any? %>
-  <ul>
-    <% @password.errors.full_messages.each do |msg| %>
-      <li><%= msg %></li>
-    <% end %>
-  </ul>
-<% end %>
-
-<%= form_with url: password_reset_path(params[:token]), method: :put do |f| %>
+<%= form_with model: @password, url: password_reset_path(params[:token]), method: :put do |f| %>
   <p>
     <%= f.label :password %>
     <%= f.password_field :password, autocomplete: 'new-password' %>