quo_vadis 2.0.2 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aca902d10c618abd2c9c0461aac204236b4ef7565911aafb5bb12dfe1e3b25e1
-  data.tar.gz: 3417365d9ca59d5e17a1b28118d3c9ec439b77fb228da9968512786dd3797a12
+  metadata.gz: 4f8acc907c43d19fcc6f9be59854be5e848add025d427f78ec608b2e24677e73
+  data.tar.gz: efab0ab6fc83535466f6bb6e31bb056016c5220ef227155629601e5c17aff5b6
 SHA512:
-  metadata.gz: 5ffdeced9bd86b0a64fe21f3491f3ad03cb2098f0687b663ab794c37e278383ad235df856d8a18bf8e73108d602661990992dd033cbc1358849b8824ac25aff6
-  data.tar.gz: 59c52478f7a5bc8ee0befe682ee520feec894c6fefe875cc84395e827ae62f9cbf5eb588862cf8eb3888b5b0ba102700b61f5d401156dc9eff893e05307d1787
+  metadata.gz: 8d34c8922431d4234650c50718a29b71a328b070582bb5b7fac74d4b1e2b6847bc2b130a197d6dcc05d93d2c0dab882a90fecf9faa3e1620f36acb48b9be3778
+  data.tar.gz: 4f471b97ff2a2dc0461ddac1f68c1e9f263ac5c188ab89daf2974f3c8f2e85c5e2b586da72b8c798d5f696acf3a2a7079aef57fb689f8f75f8113a38d56b2c2d

data/CHANGELOG.md

@@ -1,7 +1,16 @@
 # CHANGELOG
 
 
-## HEAD
+## 2.1.0 (25 June 2021)
+
+* Fix incorrect assignment of built association.
+* Add i18n translations for log actions.
+* Use model instance in change-password form.
+* Ensure password-reset flash notice not displayed when emailed link is clicked.
+* Use model instance in password-reset form.
+* Give no indication of unknown account on request of password reset email.
+* Use 422 status code for form submission error responses.
+* Make default cookie name depend on Rails environment.
 
 
 ## 2.0.2 (24 May 2021)

data/README.md

@@ -86,9 +86,9 @@ class Person < ApplicationRecord
 end
 ```
 
-When __creating__ a model instance, include a `:password` attribute and, optionally, `:password_confirmation` attribute.
+You can create and update your models as before.  When you want to set a password for the first time, just include `:password` and, optionally, `:password_confirmation` in the attributes to `#create` or `#update`.
 
-When __updating__ a model instance, do not include a `:password` attribute.  To change someone's password, use the Change Password feature (see below).
+If you want to change an existing password, use the Change Password feature (see below).  If you update a model (that already has a password) with a `:password` attribute, it will raise a `QuoVadis::PasswordExistsError`.
 
 The minimum password length is configured by `QuoVadis.password_minimum_length` (12 by default).
 
@@ -256,6 +256,8 @@ On that page you can show the user the address the email was sent to, enable the
 
 Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
 
+Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
+
 Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
 
 After the user has confirmed their account, they will be logged in and redirected to the first of these that exists:
@@ -353,9 +355,9 @@ Now write the page to where the user is redirected while they wait for the email
 
 It's a good idea for that page to link to `new_password_reset_path` where the user can request another email if need be.
 
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
+Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
 
-Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another password-reset email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
 
 After the user has reset their password, they will be logged in and redirected to the first of these that exists:
 
@@ -405,7 +407,7 @@ This is QuoVadis' [default configuration](https://github.com/airblade/quo_vadis/
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime
@@ -436,7 +438,7 @@ Masking means setting the last octet (IPv4) or the last 80 bits (IPv6) to 0.
 
 __`cookie_name`__ (string)
 
-The name of the cookie QuoVadis uses to store the session identifier.  The `__Host-` prefix is [recommended](https://developer.mozilla.org/en-US/docs/Web/API/document/cookie).
+The name of the cookie QuoVadis uses to store the session identifier.  The `__Host-` prefix is [recommended](https://developer.mozilla.org/en-US/docs/Web/API/document/cookie) in an SSL environment (but cannot be used in a non-SSL environment).
 
 __`session_lifetime`__ (`:session` | `ActiveSupport::Duration` | integer)
 

data/app/controllers/quo_vadis/password_resets_controller.rb

@@ -13,15 +13,14 @@ module QuoVadis
 
 
     def create
-      flash[:notice] = QuoVadis.translate 'flash.password_reset.create'
-
       account = QuoVadis.find_account_by_identifier_in_params params
-      return unless account
 
-      token = QuoVadis::PasswordResetToken.generate account
-      QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+      if account
+        token = QuoVadis::PasswordResetToken.generate account
+        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+      end
 
-      redirect_to password_resets_path
+      redirect_to password_resets_path, notice: QuoVadis.translate('flash.password_reset.create')
     end
 
 
@@ -33,6 +32,10 @@ module QuoVadis
         redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
       end
 
+      # Ensure the flash notice set in the create action does not appear when the user clicks the
+      # link in the email they were sent.
+      flash.delete :notice
+
       @password = QuoVadis::Password.new
     end
 
@@ -46,7 +49,7 @@ module QuoVadis
       end
 
       @password = account.password
-      if @password.reset params[:password], params[:password_confirmation]
+      if @password.reset params[:password][:password], params[:password][:password_confirmation]
         # Logout account's sessions because password has changed.
         # Note model is not logged in here.
         @password.account.sessions.destroy_all
@@ -57,7 +60,7 @@ module QuoVadis
         login @password.account.model, true
         redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.password_reset.reset')
       else
-        render :edit
+        render :edit, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/passwords_controller.rb

@@ -11,14 +11,16 @@ module QuoVadis
 
     def update
       @password = authenticated_model.qv_account.password
-      if @password.change params[:password], params[:new_password], params[:new_password_confirmation]
+      if @password.change(params[:password][:password],
+                          params[:password][:new_password],
+                          params[:password][:new_password_confirmation])
         qv.log authenticated_model.qv_account, Log::PASSWORD_CHANGE
         QuoVadis.notify :password_change_notification, email: authenticated_model.email
         qv.logout_other_sessions
         qv.replace_session
         redirect_to qv.path_after_password_change, notice: QuoVadis.translate('flash.password.update')
       else
-        render :edit
+        render :edit, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/recovery_codes_controller.rb

@@ -27,7 +27,7 @@ module QuoVadis
       else
         qv.log account, Log::RECOVERY_CODE_FAILURE
         flash.now[:alert] = QuoVadis.translate('flash.recovery_code.unverified')
-        render :challenge
+        render :challenge, status: :unprocessable_entity
       end
     end
 

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -23,14 +23,14 @@ module QuoVadis
       unless account
         qv.log nil, Log::LOGIN_UNKNOWN, identifier: QuoVadis.identifier_value_in_params(params)
         flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
-        render :new
+        render :new, status: :unprocessable_entity
         return
       end
 
       unless account.password.authenticate params[:password]
         qv.log account, Log::LOGIN_FAILURE
         flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
-        render :new
+        render :new, status: :unprocessable_entity
         return
       end
 

data/app/controllers/quo_vadis/totps_controller.rb

@@ -53,7 +53,7 @@ module QuoVadis
           qv.log authenticated_model.qv_account, Log::TOTP_FAILURE
         end
         flash.now[:alert] = QuoVadis.translate('flash.totp.unverified')
-        render :challenge
+        render :challenge, status: :unprocessable_entity
       end
     end
 

data/app/models/quo_vadis/log.rb

@@ -21,7 +21,7 @@ module QuoVadis
     PASSWORD_RESET         = 'password.reset'
     ACCOUNT_CONFIRMATION   = 'account.confirmation'
     LOGOUT_OTHER           = 'logout.other'
-    LOGOUT                 = 'logout'
+    LOGOUT                 = 'logout.self'
 
     ACTIONS = [
       LOGIN_SUCCESS,

data/config/locales/quo_vadis.en.yml

@@ -31,7 +31,6 @@ en:
           other: You have %{count} recovery codes left.
       2fa:
         invalidated: You have invalidated your 2FA credentials and recovery codes.
-
     mailer:
       password_reset:
         subject: Change your password
@@ -46,6 +45,35 @@ en:
         totp_reuse: Your two-factor authentication code was reused just now
         twofa_deactivated: Two-factor authentication was deactivated just now
         recovery_codes_generation: Recovery codes have been generated for your account
+    log:
+      action:
+        login:
+          success: Logged in
+          failure: Failed login attempt (incorrect password)
+          unknown: Failed login attempt (unknown identifier)
+        totp:
+          setup: TOTP set up for 2FA
+          success: Authenticated via TOTP
+          failure: Failed authentication attempt via TOTP
+          reuse: Failed attempt to reuse TOTP code
+        recovery_code:
+          success: Authenticated via 2FA recovery code
+          failure: Failed authentication attempt via 2FA recovery code
+          generate: Generated new 2FA recovery codes
+        2fa:
+          deactivated: Deactivated 2FA
+        identifier:
+          change: Changed identifier
+        email:
+          change: Changed email address
+        password:
+          change: Changed password
+          reset: Reset password
+        account:
+          confirmation: Confirmed account
+        logout:
+          self: Logged out
+          other: Logged out session remotely
   activerecord:
     errors:
       models:

data/lib/quo_vadis/controller.rb

@@ -17,9 +17,8 @@ module QuoVadis
 
     def require_password_authentication
       return if logged_in?
-      flash[:notice] = QuoVadis.translate 'flash.require_authentication'
       session[:qv_bookmark] = request.original_fullpath
-      redirect_to quo_vadis.login_path
+      redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
     end
     alias_method :require_authentication, :require_password_authentication
 

data/lib/quo_vadis/defaults.rb

@@ -3,7 +3,7 @@ require 'active_support/core_ext'
 QuoVadis.configure do
   password_minimum_length               12
   mask_ips                              false
-  cookie_name                           '__Host-qv'
+  cookie_name                           (Rails.env.production? ? '__Host-qv' : 'qv')
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime

data/lib/quo_vadis/model.rb

@@ -14,11 +14,9 @@ module QuoVadis
 
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
 
-        before_validation :qv_build_account_and_password, on: :create
-        before_validation :qv_copy_identifier_to_account
+        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
 
-        # Enable a new-user form to set a password.
-        validate :qv_copy_password_errors, on: :create
+        validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
 
         unless validators_on(identifier).any? { |v| ActiveRecord::Validations::UniquenessValidator === v }
           raise NotImplementedError, <<~END
@@ -44,24 +42,19 @@ module QuoVadis
 
       def password=(val)
         @password = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         raise PasswordExistsError if qv_account.password&.persisted?
         (qv_account.password || qv_account.build_password).password = val
       end
 
       def password_confirmation=(val)
         @password_confirmation = val
-        self.qv_account ||= build_qv_account
+        build_qv_account unless qv_account
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
 
       private
 
-      def qv_build_account_and_password
-        self.qv_account ||= build_qv_account
-        qv_account.password || qv_account.build_password
-      end
-
       def qv_copy_password_errors
         qv_account.password.valid?  # force qv_account.password to validate
         qv_account.password.errors[:password             ].each { |message| errors.add :password,              message }

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.0.2'
+  VERSION = '2.1.0'
 end

data/test/dummy/app/views/quo_vadis/logs/index.html.erb

@@ -3,6 +3,7 @@
 <table>
   <thead>
     <tr>
+      <th>Timestamp</th>
       <th>Action</th>
       <th>IP</th>
       <th>Metadata</th>
@@ -11,7 +12,8 @@
   <tbody>
     <% @logs.each do |log| %>
       <tr>
-        <td><%= log.action %></td>
+        <td><%= log.created_at %></td>
+        <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
         <td><%= log.ip %></td>
         <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
       </tr>

data/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb

@@ -1,14 +1,6 @@
 <h1>Reset password</h1>
 
-<% if @password.errors.any? %>
-  <ul>
-    <% @password.errors.full_messages.each do |msg| %>
-      <li><%= msg %></li>
-    <% end %>
-  </ul>
-<% end %>
-
-<%= form_with url: password_reset_path(params[:token]), method: :put do |f| %>
+<%= form_with model: @password, url: password_reset_path(params[:token]), method: :put do |f| %>
   <p>
     <%= f.label :password %>
     <%= f.password_field :password, autocomplete: 'new-password' %>

data/test/dummy/app/views/quo_vadis/passwords/edit.html.erb

@@ -1,14 +1,6 @@
 <h1>Change password</h1>
 
-<% if @password.errors.any? %>
-  <ul>
-    <% @password.errors.full_messages.each do |msg| %>
-      <li><%= msg %></li>
-    <% end %>
-  </ul>
-<% end %>
-
-<%= form_with url: password_path, method: :put do |f| %>
+<%= form_with model: @password, url: password_path, method: :put do |f| %>
   <p>
     <%= f.label :password %>
     <%= f.password_field :password, autocomplete: 'current-password' %>

data/test/dummy/config/initializers/quo_vadis.rb

@@ -1,7 +1,3 @@
 QuoVadis.configure do
-  # Cannot use the __Host- prefix in a non-SSL environment.
-  # https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3.2
-  cookie_name 'qv'
-
   session_lifetime 1.week
 end

data/test/integration/logging_test.rb

@@ -15,13 +15,13 @@ class LoggingTest < IntegrationTest
     assert_response :success
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'password.change'
+      assert_select 'td', 'Changed password'
       assert_select 'td', '1.2.3.4'
       assert_select 'td', 'foo: bar, baz: qux'
     end
 
     assert_select 'tbody tr' do
-      assert_select 'td', 'login.success'
+      assert_select 'td', 'Logged in'
       assert_select 'td', '127.0.0.1'
       assert_select 'td', ''
     end
@@ -157,7 +157,7 @@ class LoggingTest < IntegrationTest
   test 'password.change' do
     login
     assert_log QuoVadis::Log::PASSWORD_CHANGE do
-      put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'})
     end
   end
 
@@ -165,7 +165,7 @@ class LoggingTest < IntegrationTest
   test 'password.reset' do
     assert_difference 'QuoVadis::Log.count', 2 do
       token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action

data/test/integration/password_change_test.rb

@@ -18,29 +18,31 @@ class PasswordChangeTest < IntegrationTest
 
 
   test 'incorrect password' do
-    put quo_vadis.password_path(password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ['is incorrect'], password_instance.errors[:password]
   end
 
 
   test 'new password empty' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: '')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: ''})
+    assert_response :unprocessable_entity
     assert_equal ["can't be blank"], password_instance.errors[:new_password]
   end
 
 
   test 'new password too short' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'x')
-    assert_response :success
+    put quo_vadis.password_path(password: {password: '123456789abc', new_password: 'x'})
+    assert_response :unprocessable_entity
     assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], password_instance.errors[:new_password]
   end
 
 
   test 'new password confirmation does not match' do
-    put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y')
-    assert_response :success
+    put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'y'
+    })
+    assert_response :unprocessable_entity
     assert_equal ["doesn't match Password"], password_instance.errors[:new_password_confirmation]
   end
 
@@ -48,7 +50,9 @@ class PasswordChangeTest < IntegrationTest
   test 'success' do
     assert_emails 1 do
       assert_session_replaced do
-        put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+        put quo_vadis.password_path(password: {
+          password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+        })
         assert_response :redirect
         assert_equal 'Your password has been changed.', flash[:notice]
       end
@@ -60,7 +64,9 @@ class PasswordChangeTest < IntegrationTest
     desktop = session_login
     phone = session_login
 
-    desktop.put quo_vadis.password_path(password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx')
+    desktop.put quo_vadis.password_path(password: {
+      password: '123456789abc', new_password: 'xxxxxxxxxxxx', new_password_confirmation: 'xxxxxxxxxxxx'
+    })
     desktop.follow_redirect!
     assert desktop.controller.logged_in?
 

data/test/integration/password_login_test.rb

@@ -21,6 +21,7 @@ class PasswordLoginTest < IntegrationTest
 
   test 'successful login redirects to original path' do
     get also_secret_articles_path
+    refute_nil session[:qv_bookmark]
 
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
@@ -30,11 +31,22 @@ class PasswordLoginTest < IntegrationTest
   end
 
 
+  test 'successful login does not redirect to login path' do
+    get quo_vadis.login_path
+    assert_nil session[:qv_bookmark]
+
+    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
+
+    assert_redirected_to after_login_path
+  end
+
+
   test 'failed login' do
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 
@@ -42,7 +54,7 @@ class PasswordLoginTest < IntegrationTest
   test 'unknown login' do
     post quo_vadis.login_path(email: 'bob@example.com', password: 'wrong')
 
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.login_path, path
   end
 

data/test/integration/password_reset_test.rb

@@ -15,7 +15,7 @@ class PasswordResetTest < IntegrationTest
 
   test 'unknown identifier' do
     post quo_vadis.password_resets_path(email: 'foo@example.com')
-    assert_response :success
+    assert_redirected_to quo_vadis.password_resets_path
     assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
   end
 
@@ -53,7 +53,7 @@ class PasswordResetTest < IntegrationTest
     assert_emails 1 do
       post quo_vadis.password_resets_path(email: 'bob@example.com')
     end
-    put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
 
     get quo_vadis.edit_password_reset_url(extract_token_from_email)
@@ -70,11 +70,11 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_no_difference 'QuoVadis::Session.count' do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: '', password_confirmation: '')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
     end
 
     assert_equal digest, @user.qv_account.password.reload.password_digest
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
   end
 
@@ -95,7 +95,7 @@ class PasswordResetTest < IntegrationTest
     end
 
     assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx')
+      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     end
 
     assert controller.logged_in?

data/test/integration/totps_test.rb

@@ -74,7 +74,7 @@ class TotpsTest < IntegrationTest
 
     post quo_vadis.authenticate_totps_path(totp: '123456')
     refute QuoVadis::Session.last.second_factor_authenticated?
-    assert_response :success
+    assert_response :unprocessable_entity
     assert_equal 'Sorry, the code was incorrect. Please check your system clock is correct and try again.', flash[:alert]
   end
 

data/test/models/password_test.rb

@@ -46,6 +46,9 @@ class PasswordTest < ActiveSupport::TestCase
 
   test 'model passes through password to quo_vadis' do
     user = User.new name: 'bob', email: 'bob@example.com'
+    assert user.valid?
+
+    user = User.new name: 'bob', email: 'bob@example.com', password: ''
     refute user.valid?
     refute_empty user.errors[:password]
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-24 00:00:00.000000000 Z
+date: 2021-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6.