quo_vadis 2.0.1 → 2.1.2

data/{test/dummy/app → app}/views/quo_vadis/passwords/edit.html.erb

@@ -1,14 +1,6 @@
 <h1>Change password</h1>
 
-<% if @password.errors.any? %>
-  <ul>
-    <% @password.errors.full_messages.each do |msg| %>
-      <li><%= msg %></li>
-    <% end %>
-  </ul>
-<% end %>
-
-<%= form_with url: password_path, method: :put do |f| %>
+<%= form_with model: @password, url: password_path, method: :put do |f| %>
   <p>
     <%= f.label :password %>
     <%= f.password_field :password, autocomplete: 'current-password' %>

data/config/locales/quo_vadis.en.yml

@@ -31,7 +31,6 @@ en:
           other: You have %{count} recovery codes left.
       2fa:
         invalidated: You have invalidated your 2FA credentials and recovery codes.
-
     mailer:
       password_reset:
         subject: Change your password
@@ -46,6 +45,36 @@ en:
         totp_reuse: Your two-factor authentication code was reused just now
         twofa_deactivated: Two-factor authentication was deactivated just now
         recovery_codes_generation: Recovery codes have been generated for your account
+    log:
+      action:
+        login:
+          success: Logged in
+          failure: Failed login attempt (incorrect password)
+          unknown: Failed login attempt (unknown identifier)
+        totp:
+          setup: TOTP set up for 2FA
+          success: Authenticated via TOTP
+          failure: Failed authentication attempt via TOTP
+          reuse: Failed attempt to reuse TOTP code
+        recovery_code:
+          success: Authenticated via 2FA recovery code
+          failure: Failed authentication attempt via 2FA recovery code
+          generate: Generated new 2FA recovery codes
+        2fa:
+          deactivated: Deactivated 2FA
+        identifier:
+          change: Changed identifier
+        email:
+          change: Changed email address
+        password:
+          change: Changed password
+          reset: Reset password
+        account:
+          confirmation: Confirmed account
+        logout:
+          self: Logged out
+          other: Logged out session remotely
+        revoke: Revoked access
   activerecord:
     errors:
       models:

data/config/routes.rb

@@ -12,12 +12,18 @@ QuoVadis::Engine.routes.draw do
   resource  :password, only: [:edit, :update]
 
   resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update'
 
-  resources :confirmations, only: [:new, :create, :index]
-  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
-  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+  resources :confirmations, only: [:new, :create, :index] do
+    collection do
+      get :edit_email
+      put :update_email
+      post :resend
+    end
+  end
+  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
+  put '/confirm/:token', to: 'confirmations#update'
 
   resources :totps, only: [:new, :create] do
     collection do

data/lib/generators/quo_vadis/install_generator.rb

@@ -1,6 +1,6 @@
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'app' / 'views' / 'quo_vadis'
 
     desc "Copy QuoVadis' views into your app."
     def copy_views

data/lib/quo_vadis/controller.rb

@@ -17,9 +17,8 @@ module QuoVadis
 
     def require_password_authentication
       return if logged_in?
-      flash[:notice] = QuoVadis.translate 'flash.require_authentication'
       session[:qv_bookmark] = request.original_fullpath
-      redirect_to quo_vadis.login_path
+      redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
     end
     alias_method :require_authentication, :require_password_authentication
 
@@ -88,7 +87,8 @@ module QuoVadis
 
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.confirmation_url(token)
+      session[:account_pending_confirmation] = model.qv_account.id
 
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'
     end

data/lib/quo_vadis/defaults.rb

@@ -3,7 +3,7 @@ require 'active_support/core_ext'
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime

data/lib/quo_vadis/model.rb

@@ -14,11 +14,9 @@ module QuoVadis
 
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
 
-        before_validation :qv_build_account_and_password, on: :create
-        before_validation :qv_copy_identifier_to_account
+        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
 
-        # Enable a new-user form to set a password.
-        validate :qv_copy_password_errors, on: :create
+        validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
 
         unless validators_on(identifier).any? { |v| ActiveRecord::Validations::UniquenessValidator === v }
           raise NotImplementedError, <<~END
@@ -44,24 +42,23 @@ module QuoVadis
 
       def password=(val)
         @password = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         raise PasswordExistsError if qv_account.password&.persisted?
         (qv_account.password || qv_account.build_password).password = val
       end
 
       def password_confirmation=(val)
         @password_confirmation = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
 
-      private
-
-      def qv_build_account_and_password
-        self.qv_account ||= build_qv_account
-        qv_account.password || qv_account.build_password
+      def revoke_authentication_credentials
+        qv_account.revoke
       end
 
+      private
+
       def qv_copy_password_errors
         qv_account.password.valid?  # force qv_account.password to validate
         qv_account.password.errors[:password             ].each { |message| errors.add :password,              message }

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.0.1'
+  VERSION = '2.1.2'
 end

data/lib/quo_vadis.rb

@@ -45,8 +45,12 @@ module QuoVadis
     end
 
     def find_account_by_identifier_in_params(params)
+      Account.find_by identifier: identifier_value_in_params(params)
+    end
+
+    def identifier_value_in_params(params)
       identifier = detect_identifier params.keys
-      Account.find_by identifier: params[identifier]
+      params[identifier]
     end
 
     # model - string class name, e.g. 'User'

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -13,7 +13,7 @@ class SignUpsController < ApplicationController
     if @user.save
       if QuoVadis.accounts_require_confirmation
         request_confirmation @user
-        redirect_to sign_up_path(@user)
+        redirect_to quo_vadis.confirmations_path
       else
         redirect_to articles_path
       end

data/test/dummy/config/initializers/quo_vadis.rb

@@ -1,7 +1,3 @@
 QuoVadis.configure do
-  # Cannot use the __Host- prefix in a non-SSL environment.
-  # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
-  cookie_name 'qv'
-
   session_lifetime 1.week
 end

data/test/integration/account_confirmation_test.rb

@@ -6,6 +6,10 @@ class AccountConfirmationTest < IntegrationTest
     QuoVadis.accounts_require_confirmation true
   end
 
+  teardown do
+    QuoVadis.accounts_require_confirmation false
+  end
+
 
   test 'new signup requiring confirmation' do
     assert_emails 1 do
@@ -36,8 +40,37 @@ class AccountConfirmationTest < IntegrationTest
   end
 
 
+  test 'new signup updates email' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    get quo_vadis.edit_email_confirmations_path
+    assert_response :success
+
+    # First email: changed-email notifier sent to original address
+    # Second email: confirmation email sent to new address
+    assert_emails 2 do
+      put quo_vadis.update_email_confirmations_path(email: 'bobby@example.com')
+    end
+    assert_equal ['bobby@example.com'], ActionMailer::Base.deliveries.last.to
+    assert_redirected_to quo_vadis.confirmations_path
+  end
+
+
+  test 'resend confirmation email in same session' do
+    assert_emails 1 do
+      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+    end
+
+    assert_emails 1 do
+      post quo_vadis.resend_confirmations_path
+    end
+  end
+
+
   test 'resend confirmation email: valid identifier' do
-    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
 
     get quo_vadis.new_confirmation_path
     assert_response :success
@@ -91,7 +124,7 @@ class AccountConfirmationTest < IntegrationTest
 
 
   test 'accounts requiring confirmation cannot log in' do
-    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
     assert_redirected_to quo_vadis.new_confirmation_path
     assert_equal 'Please confirm your account first.', flash[:notice]

data/test/integration/logging_test.rb

@@ -15,13 +15,13 @@ class LoggingTest < IntegrationTest
     assert_response :success
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'password.change'
+      assert_select 'td', 'Changed password'
       assert_select 'td', '1.2.3.4'
       assert_select 'td', 'foo: bar, baz: qux'
     end
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'login.success'
+      assert_select 'td', 'Logged in'
       assert_select 'td', '127.0.0.1'
       assert_select 'td', ''
     end
@@ -43,7 +43,7 @@ class LoggingTest < IntegrationTest
 
 
   test 'login.unknown' do
-    assert_log QuoVadis::Log::LOGIN_UNKNOWN, {}, nil do
+    assert_log QuoVadis::Log::LOGIN_UNKNOWN, {'identifier' => 'wrong'}, nil do
       post quo_vadis.login_path(email: 'wrong', password: 'wrong')
     end
   end
@@ -157,7 +157,7 @@ class LoggingTest < IntegrationTest
   test 'password.change' do
     login
     assert_log QuoVadis::Log::PASSWORD_CHANGE do
-      put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'})
     end
   end
 
@@ -165,7 +165,7 @@ class LoggingTest < IntegrationTest
   test 'password.reset' do
     assert_difference 'QuoVadis::Log.count', 2 do
       token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
@@ -201,6 +201,15 @@ class LoggingTest < IntegrationTest
   end
 
 
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
+
+
   private
 
   def assert_log(action, metadata = {}, account = @account, &block)

data/test/integration/password_change_test.rb

@@ -18,29 +18,31 @@ class PasswordChangeTest < IntegrationTest
 
 
   test 'incorrect password' do
-    put quo_vadis.password_path(password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ['is incorrect'], password_instance.errors[:password]
   end
 
 
   test 'new password empty' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: '')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: ''})
+    assert_response :unprocessable_entity
     assert_equal ["can't be blank"], password_instance.errors[:new_password]
   end
 
 
   test 'new password too short' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
   end
 
 
   test 'new password confirmation does not match' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y')
-    assert_response :success
+    put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y'
+    })
+    assert_response :unprocessable_entity
     assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
   end
 
@@ -48,7 +50,9 @@ class PasswordChangeTest < IntegrationTest
   test 'success' do
     assert_emails 1 do
       assert_session_replaced do
-        put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+        put quo_vadis.password_path(password: {
+          password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+        })
         assert_response :redirect
         assert_equal 'Your password has been changed.', flash[:notice]
       end
@@ -60,7 +64,9 @@ class PasswordChangeTest < IntegrationTest
     desktop = session_login
     phone = session_login
 
-    desktop.put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    desktop.put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+    })
     desktop.follow_redirect!
     assert desktop.controller.logged_in?
 

data/test/integration/password_login_test.rb

@@ -21,6 +21,7 @@ class PasswordLoginTest < IntegrationTest
 
   test 'successful login redirects to original path' do
     get also_secret_articles_path
+    refute_nil session[:qv_bookmark]
 
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
@@ -30,11 +31,22 @@ class PasswordLoginTest < IntegrationTest
   end
 
 
+  test 'successful login does not redirect to login path' do
+    get quo_vadis.login_path
+    assert_nil session[:qv_bookmark]
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to after_login_path
+  end
+
+
   test 'failed login' do
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 
@@ -42,7 +54,7 @@ class PasswordLoginTest < IntegrationTest
   test 'unknown login' do
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 

data/test/integration/password_reset_test.rb

@@ -15,7 +15,7 @@ class PasswordResetTest < IntegrationTest
 
   test 'unknown identifier' do
     post quo_vadis.password_resets_path(email: 'foo@example.com')
-    assert_response :success
+    assert_redirected_to quo_vadis.password_resets_path
     assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
   end
 
@@ -53,10 +53,10 @@ class PasswordResetTest < IntegrationTest
     assert_emails 1 do
       post quo_vadis.password_resets_path(email: 'bob@example.com')
     end
-    put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
 
-    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    get quo_vadis.password_reset_url(extract_token_from_email)
     assert_redirected_to quo_vadis.new_password_reset_path
     assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end
@@ -70,11 +70,11 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_no_difference 'QuoVadis::Session.count' do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: '', password_confirmation: '')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
     end
 
     assert_equal digest, @user.qv_account.password.reload.password_digest
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
   end
 
@@ -95,7 +95,7 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
 
     assert controller.logged_in?

data/test/integration/totps_test.rb

@@ -74,7 +74,7 @@ class TotpsTest < IntegrationTest
 
     post quo_vadis.authenticate_totps_path(totp: '123456')
     refute QuoVadis::Session.last.second_factor_authenticated?
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
   end
 

data/test/models/account_test.rb

@@ -31,4 +31,20 @@ class AccountTest < ActiveSupport::TestCase
     end
   end
 
+
+  test 'revoke' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+    account.create_totp last_used_at: 1.minute.ago
+    account.generate_recovery_codes
+
+    u.revoke_authentication_credentials
+    account.reload
+
+    assert_nil account.password
+    assert_nil account.totp
+    assert_empty account.recovery_codes
+    assert_empty account.sessions
+  end
+
 end

data/test/models/password_test.rb

@@ -46,6 +46,9 @@ class PasswordTest < ActiveSupport::TestCase
 
   test 'model passes through password to quo_vadis' do
     user = User.new name: 'bob', email: 'bob@example.com'
+    assert user.valid?
+
+    user = User.new name: 'bob', email: 'bob@example.com', password: ''
     refute user.valid?
     refute_empty user.errors[:password]
 
@@ -117,6 +120,19 @@ class PasswordTest < ActiveSupport::TestCase
   end
 
 
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
+
+
   test 'cascade destroy' do
     user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
     assert user.qv_account.persisted?

data/test/models/recovery_code_test.rb

@@ -42,13 +42,19 @@ class RecoveryCodeTest < ActiveSupport::TestCase
   test 'generate a fresh set of codes' do
     account = @user.qv_account
     codes = []
-    assert_difference 'QuoVadis::RecoveryCode.count', 5 do
+    assert_difference 'QuoVadis::RecoveryCode.count', (-1 + 5) do
       codes = account.generate_recovery_codes
     end
     assert_equal 5, codes.length
+    assert_equal 5, account.recovery_codes.count
     codes.each do |code|
       assert_instance_of String, code
     end
+
+    new_codes = account.generate_recovery_codes
+    assert_equal 5, new_codes.length
+    assert_equal 5, account.recovery_codes.count
+    refute_equal new_codes, codes
   end
 
 end

data/test/models/token_test.rb

@@ -52,7 +52,7 @@ class TokenTest < ActiveSupport::TestCase
 
   test 'password reset already done' do
     token = QuoVadis::PasswordResetToken.generate @account
-    @account.password.update password: 'secretsecret'
+    @account.password.reset 'secretsecret', 'secretsecret'
     assert_nil QuoVadis::PasswordResetToken.find_account(token)
   end