RubyGems - quo_vadis - Versions diffs - 2.1.0 → 2.1.1 - Mend

quo_vadis 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f8acc907c43d19fcc6f9be59854be5e848add025d427f78ec608b2e24677e73
-  data.tar.gz: efab0ab6fc83535466f6bb6e31bb056016c5220ef227155629601e5c17aff5b6
+  metadata.gz: 455075dcaacc7b730c0834edec721467fd36aed73ab25d55980f2db6baa5226c
+  data.tar.gz: 463eafcb85b1da5a09ebf990d38729f9e4a52e60856e83350df1f57fccbdd439
 SHA512:
-  metadata.gz: 8d34c8922431d4234650c50718a29b71a328b070582bb5b7fac74d4b1e2b6847bc2b130a197d6dcc05d93d2c0dab882a90fecf9faa3e1620f36acb48b9be3778
-  data.tar.gz: 4f471b97ff2a2dc0461ddac1f68c1e9f263ac5c188ab89daf2974f3c8f2e85c5e2b586da72b8c798d5f696acf3a2a7079aef57fb689f8f75f8113a38d56b2c2d
+  metadata.gz: 3113487a82c77378bec401e4c721923d2de127a0ad790cb96e754e83794dc236e2a8042f33305114f1b85b021ad12d08f9724e1338c3f0f4c1e536853482e93b
+  data.tar.gz: 0c03c57428c0642fbd29d0b9ad150e01d72a3bd4ef5eab35243584b4621a6d35aaba218af90b13cb7ef8a66f0ded8c0f02a842899c2ef3561d7b0279f5864a23

data/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,20 @@
 # CHANGELOG
+## HEAD
+## 2.1.1 (8 July 2021)
+* Remove unnecessary route names.
+* Add user revocation.
+* Ensure password is only updated via #change or #reset.
+* Move views into gem's app/views/ directory.
 ## 2.1.0 (25 June 2021)
+* Do not require password on create.
 * Fix incorrect assignment of built association.
 * Add i18n translations for log actions.
 * Use model instance in change-password form.

data/README.md CHANGED Viewed

@@ -246,19 +246,19 @@ class UsersController < ApplicationController
 end
 ```
-QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
+QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
 On that page you can show the user the address the email was sent to, enable them to update their email address if they make a mistake on the sign-up form, and provide a button to resend another email directly.  If the sign-up occurred in a different browser session, you can instead link to `new_confirmation_path` where the user can request another email if need be.
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
-Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
+Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
-Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
+Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
 After the user has confirmed their account, they will be logged in and redirected to the first of these that exists:
@@ -272,7 +272,7 @@ So add whichever works best for you.
 Use `before_action :require_password_authentication` or `before_action :require_authentication` in your controllers.
-Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 If you include a `remember` checkbox in your login form:
@@ -312,22 +312,22 @@ In your views, have a link where users can manage their 2FA:
 link_to '2FA', quo_vadis.twofa_path
 ```
-Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
+Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
-Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
+Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
-Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
+Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
-Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
+Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
-Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
+Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
 ### Change password
 To change their password, the user must provide their current one as well as the new one.
-Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
+Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
 After the password has been changed, the user is redirected to the first of:
@@ -347,17 +347,17 @@ The user can reset their password if they lose it.  The flow is:
 4. [Password-reset confirmation page] The user enters their new password and clicks a button.
 5. QuoVadis sets the user's password and logs them in.
-First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
 It's a good idea for that page to link to `new_password_reset_path` where the user can request another email if need be.
-Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
+Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
 After the user has reset their password, they will be logged in and redirected to the first of these that exists:
@@ -371,14 +371,14 @@ A logged-in session lasts for either the browser session or `QuoVadis.session_li
 A user can view their active sessions and log out of any of them.
-Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
+Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
 ### Audit trail
 An audit trail is kept of authentication events.  You can see the full list in the [`Log`](https://github.com/airblade/quo_vadis/blob/master/app/models/quo_vadis/log.rb) class.
-Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
+Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
 ### Notifications
@@ -387,18 +387,23 @@ QuoVadis notifies users by email whenever their authentication details are chang
 Write the corresponding mailer views:
-- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb))
-- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
-- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb))
-- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
-- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
-- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
-- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
-- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
+- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/email_change_notification.text.erb))
+- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
+- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_change_notification.text.erb))
+- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
+- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
+- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
+- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
+- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
 They must be in `app/views/quo_vadis/mailer/NAME.{text,html}.erb`.
+### Revocation
+You can revoke a user's access by calling `#revoke_authentication_credentials` on the model instance.  This deletes the user's password, TOTP credential, recovery codes, and active sessions.  Their authentication logs, or audit trail, are preserved.
 ## Configuration
 This is QuoVadis' [default configuration](https://github.com/airblade/quo_vadis/blob/master/lib/quo_vadis/defaults.rb):

data/app/controllers/quo_vadis/password_resets_controller.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module QuoVadis
       if account
         token = QuoVadis::PasswordResetToken.generate account
-        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.password_reset_url(token)
       end
       redirect_to password_resets_path, notice: QuoVadis.translate('flash.password_reset.create')

data/app/models/quo_vadis/account.rb CHANGED Viewed

@@ -35,6 +35,19 @@ module QuoVadis
       Array.new(MAX_NUMBER_OF_RECOVERY_CODES) { recovery_codes.create }.map &:code
     end
+    def revoke
+      password&.destroy
+      totp&.destroy
+      recovery_codes.destroy_all
+      sessions.destroy_all
+      Log.create(
+        account: self,
+        action: Log::REVOKE,
+        ip: (CurrentRequestDetails.ip || '')
+      )
+    end
     private
     def log_identifier_change

data/app/models/quo_vadis/log.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module QuoVadis
     ACCOUNT_CONFIRMATION   = 'account.confirmation'
     LOGOUT_OTHER           = 'logout.other'
     LOGOUT                 = 'logout.self'
+    REVOKE                 = 'revoke'
     ACTIONS = [
       LOGIN_SUCCESS,
@@ -41,7 +42,8 @@ module QuoVadis
       PASSWORD_RESET,
       ACCOUNT_CONFIRMATION,
       LOGOUT_OTHER,
-      LOGOUT
+      LOGOUT,
+      REVOKE
     ]
     belongs_to :account, optional: true  # optional only for LOGIN_UNKNOWN

data/app/models/quo_vadis/password.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module QuoVadis
     has_secure_password
     validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
+    validate :password_updated_legitimately, on: :update
     attr_accessor :new_password
@@ -48,5 +49,20 @@ module QuoVadis
       save
     end
+    private
+    def password_updated_legitimately
+      return unless password_digest_changed?
+      unless change_or_reset_called?
+        errors.add :password, 'must be updated via #change or #reset'
+      end
+    end
+    def change_or_reset_called?
+      caller_locations.any? { |loc|
+        ['change', 'reset'].include?(loc.label) && Pathname.new(loc.path).basename.to_s == 'password.rb'
+      }
+    end
   end
 end

data/{test/dummy/app → app}/views/quo_vadis/confirmations/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/edit_email.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/logs/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/account_confirmation.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/email_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/identifier_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/password_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/password_reset_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/reset_password.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/totp_reuse_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/totp_setup_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/passwords/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/recovery_codes/challenge.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/recovery_codes/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/sessions/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/sessions/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/totps/challenge.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/totps/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/twofas/show.html.erb RENAMED Viewed

File without changes

data/config/locales/quo_vadis.en.yml CHANGED Viewed

@@ -74,6 +74,7 @@ en:
         logout:
           self: Logged out
           other: Logged out session remotely
+        revoke: Revoked access
   activerecord:
     errors:
       models:

data/config/routes.rb CHANGED Viewed

@@ -12,8 +12,8 @@ QuoVadis::Engine.routes.draw do
   resource  :password, only: [:edit, :update]
   resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update'
   resources :confirmations, only: [:new, :create, :index] do
     collection do
@@ -22,8 +22,8 @@ QuoVadis::Engine.routes.draw do
       post :resend
     end
   end
-  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
-  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
+  put '/confirm/:token', to: 'confirmations#update'
   resources :totps, only: [:new, :create] do
     collection do

data/lib/generators/quo_vadis/install_generator.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'app' / 'views' / 'quo_vadis'
     desc "Copy QuoVadis' views into your app."
     def copy_views

data/lib/quo_vadis/controller.rb CHANGED Viewed

@@ -87,7 +87,7 @@ module QuoVadis
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.confirmation_url(token)
       session[:account_pending_confirmation] = model.qv_account.id
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'

data/lib/quo_vadis/model.rb CHANGED Viewed

@@ -53,6 +53,10 @@ module QuoVadis
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
+      def revoke_authentication_credentials
+        qv_account.revoke
+      end
       private
       def qv_copy_password_errors

data/lib/quo_vadis/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module QuoVadis
-  VERSION = '2.1.0'
+  VERSION = '2.1.1'
 end

data/test/integration/logging_test.rb CHANGED Viewed

@@ -201,6 +201,15 @@ class LoggingTest < IntegrationTest
   end
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
   private
   def assert_log(action, metadata = {}, account = @account, &block)

data/test/integration/password_reset_test.rb CHANGED Viewed

@@ -56,7 +56,7 @@ class PasswordResetTest < IntegrationTest
     put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
-    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    get quo_vadis.password_reset_url(extract_token_from_email)
     assert_redirected_to quo_vadis.new_password_reset_path
     assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end

data/test/models/account_test.rb CHANGED Viewed

@@ -31,4 +31,20 @@ class AccountTest < ActiveSupport::TestCase
     end
   end
+  test 'revoke' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+    account.create_totp last_used_at: 1.minute.ago
+    account.generate_recovery_codes
+    u.revoke_authentication_credentials
+    account.reload
+    assert_nil account.password
+    assert_nil account.totp
+    assert_empty account.recovery_codes
+    assert_empty account.sessions
+  end
 end

data/test/models/password_test.rb CHANGED Viewed

@@ -120,6 +120,19 @@ class PasswordTest < ActiveSupport::TestCase
   end
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
   test 'cascade destroy' do
     user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
     assert user.qv_account.persisted?

data/test/models/token_test.rb CHANGED Viewed

@@ -52,7 +52,7 @@ class TokenTest < ActiveSupport::TestCase
   test 'password reset already done' do
     token = QuoVadis::PasswordResetToken.generate @account
-    @account.password.update password: 'secretsecret'
+    @account.password.reset 'secretsecret', 'secretsecret'
     assert_nil QuoVadis::PasswordResetToken.find_account(token)
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-25 00:00:00.000000000 Z
+date: 2021-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -97,6 +97,32 @@ files:
 - app/models/quo_vadis/session.rb
 - app/models/quo_vadis/token.rb
 - app/models/quo_vadis/totp.rb
+- app/views/quo_vadis/confirmations/edit.html.erb
+- app/views/quo_vadis/confirmations/edit_email.html.erb
+- app/views/quo_vadis/confirmations/index.html.erb
+- app/views/quo_vadis/confirmations/new.html.erb
+- app/views/quo_vadis/logs/index.html.erb
+- app/views/quo_vadis/mailer/account_confirmation.text.erb
+- app/views/quo_vadis/mailer/email_change_notification.text.erb
+- app/views/quo_vadis/mailer/identifier_change_notification.text.erb
+- app/views/quo_vadis/mailer/password_change_notification.text.erb
+- app/views/quo_vadis/mailer/password_reset_notification.text.erb
+- app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb
+- app/views/quo_vadis/mailer/reset_password.text.erb
+- app/views/quo_vadis/mailer/totp_reuse_notification.text.erb
+- app/views/quo_vadis/mailer/totp_setup_notification.text.erb
+- app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
+- app/views/quo_vadis/password_resets/edit.html.erb
+- app/views/quo_vadis/password_resets/index.html.erb
+- app/views/quo_vadis/password_resets/new.html.erb
+- app/views/quo_vadis/passwords/edit.html.erb
+- app/views/quo_vadis/recovery_codes/challenge.html.erb
+- app/views/quo_vadis/recovery_codes/index.html.erb
+- app/views/quo_vadis/sessions/index.html.erb
+- app/views/quo_vadis/sessions/new.html.erb
+- app/views/quo_vadis/totps/challenge.html.erb
+- app/views/quo_vadis/totps/new.html.erb
+- app/views/quo_vadis/twofas/show.html.erb
 - bin/console
 - bin/rails
 - bin/setup
@@ -131,32 +157,6 @@ files:
 - test/dummy/app/views/articles/secret.html.erb
 - test/dummy/app/views/articles/very_secret.html.erb
 - test/dummy/app/views/layouts/application.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/edit.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/index.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/new.html.erb
-- test/dummy/app/views/quo_vadis/logs/index.html.erb
-- test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb
-- test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb
-- test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
-- test/dummy/app/views/quo_vadis/password_resets/edit.html.erb
-- test/dummy/app/views/quo_vadis/password_resets/index.html.erb
-- test/dummy/app/views/quo_vadis/password_resets/new.html.erb
-- test/dummy/app/views/quo_vadis/passwords/edit.html.erb
-- test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb
-- test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb
-- test/dummy/app/views/quo_vadis/sessions/index.html.erb
-- test/dummy/app/views/quo_vadis/sessions/new.html.erb
-- test/dummy/app/views/quo_vadis/totps/challenge.html.erb
-- test/dummy/app/views/quo_vadis/totps/new.html.erb
-- test/dummy/app/views/quo_vadis/twofas/show.html.erb
 - test/dummy/app/views/sign_ups/new.html.erb
 - test/dummy/app/views/sign_ups/show.html.erb
 - test/dummy/app/views/users/new.html.erb
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6.