quo_vadis 2.1.11 → 2.2.1

data/test/integration/logging_test.rb

@@ -163,22 +163,42 @@ class LoggingTest < IntegrationTest
 
 
   test 'password.reset' do
+    assert_emails 1 do
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
+    end
+
     assert_difference 'QuoVadis::Log.count', 2 do
-      token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+      put quo_vadis.password_reset_path(password: {
+        otp: extract_code_from_email,
+        password: 'secretsecret',
+        password_confirmation: 'secretsecret',
+      })
     end
+
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
   end
 
 
   test 'account.confirmation' do
-    assert_difference 'QuoVadis::Log.count', 2 do
-      token = QuoVadis::AccountConfirmationToken.generate @account
-      put quo_vadis.confirmation_path(token)
+    QuoVadis.accounts_require_confirmation true
+
+    assert_emails 1 do
+      login
+      assert_redirected_to '/articles/secret'
+      follow_redirect!
+      assert_redirected_to '/confirm'
+      follow_redirect!
     end
-    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, QuoVadis::Log.first.action
-    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+
+    assert_difference 'QuoVadis::Log.count' do
+      post quo_vadis.confirm_path(otp: extract_code_from_email)
+    end
+
+    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, log.action
+  ensure
+    QuoVadis.accounts_require_confirmation false
   end
 
 
@@ -241,4 +261,8 @@ class LoggingTest < IntegrationTest
     end
   end
 
+  def extract_code_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{\d{6}}, 0]
+  end
+
 end

data/test/integration/password_login_test.rb

@@ -105,7 +105,7 @@ class PasswordLoginTest < IntegrationTest
     travel 5.days
 
     get articles_path
-    assert controller.logged_in?  # flakey
+    assert controller.logged_in?
 
     travel 3.days
 

data/test/integration/password_reset_test.rb

@@ -14,102 +14,144 @@ class PasswordResetTest < IntegrationTest
 
 
   test 'unknown identifier' do
-    post quo_vadis.password_resets_path(email: 'foo@example.com')
-    assert_redirected_to quo_vadis.password_resets_path
-    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+    post quo_vadis.password_reset_path(email: 'foo@example.com')
+    assert_redirected_to quo_vadis.edit_password_reset_path
+    assert_equal 'Please check your email for your reset code.', flash[:notice]
   end
 
 
   test 'known identifier' do
     assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
     end
-    assert_redirected_to quo_vadis.password_resets_path
-    assert_equal 'A link to change your password has been emailed to you.', flash[:notice]
+    assert_redirected_to quo_vadis.edit_password_reset_path
+    assert_equal 'Please check your email for your reset code.', flash[:notice]
   end
 
 
-  test 'click link in email' do
+  test 'reset code expired' do
     assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
     end
-    get extract_url_from_email
-    assert_response :success
-  end
 
+    travel QuoVadis.password_reset_otp_lifetime + 1.minute
 
-  test 'expired link' do
-    assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
-    end
-    travel QuoVadis.password_reset_token_lifetime + 1.minute
-    get extract_url_from_email
+    # type in reset code from email
+    code = extract_code_from_email
+    put quo_vadis.password_reset_path(password: {
+      otp: code,
+      password: 'secretsecret',
+      password_confirmation: 'secretsecret',
+    })
+
+    assert_equal 'Your reset code has expired.  Please request another one.', flash[:alert]
     assert_redirected_to quo_vadis.new_password_reset_path
-    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end
 
 
-  test 'link cannot be reused' do
+  test 'reset code incorrect' do
     assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
     end
-    put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
-    assert controller.logged_in?
 
-    get quo_vadis.password_reset_url(extract_token_from_email)
+    # type in reset code from email
+    put quo_vadis.password_reset_path(password: {
+      otp: '000000',
+      password: 'secretsecret',
+      password_confirmation: 'secretsecret',
+    })
+
     assert_redirected_to quo_vadis.new_password_reset_path
-    assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
+    assert_equal 'Sorry, the code was incorrect.  Please try again.', flash[:alert]
   end
 
 
   test 'new password invalid' do
-    digest = @user.qv_account.password.password_digest
-
     assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
     end
 
+    # type in reset code from email
+    code = extract_code_from_email
     assert_no_difference 'QuoVadis::Session.count' do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: '', password_confirmation: ''})
+      put quo_vadis.password_reset_path(password: {
+        otp: code,
+        password: 'secret',
+        password_confirmation: 'secret',
+      })
     end
 
-    assert_equal digest, @user.qv_account.password.reload.password_digest
-    assert_response :unprocessable_entity
-    assert_equal quo_vadis.password_reset_path(extract_token_from_email), path
+    assert_response 422
+    assert_nil flash[:notice]
+    refute controller.logged_in?
   end
 
 
   test 'new password valid' do
-    QuoVadis.two_factor_authentication_mandatory false
-
-    digest = @user.qv_account.password.password_digest
-
-    desktop = session_login
     phone = session_login
+    tablet = session_login
 
     get articles_url
     refute controller.logged_in?
 
     assert_emails 1 do
-      post quo_vadis.password_resets_path(email: 'bob@example.com')
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
     end
 
-    assert_difference 'QuoVadis::Session.count', (- 2 + 1) do
-      put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+    # type in reset code from email
+    code = extract_code_from_email
+    # deletes phone and tablet sessions and creates new session
+    assert_difference 'QuoVadis::Session.count', -1 do
+      put quo_vadis.password_reset_path(password: {
+        otp: code,
+        password: 'secretsecret',
+        password_confirmation: 'secretsecret',
+      })
     end
 
+    assert_equal 'Your password has been changed and you are logged in.', flash[:notice]
     assert controller.logged_in?
-
-    desktop.get articles_url
-    refute desktop.controller.logged_in?  # NOTE: flaky; if this fails, re-migrate the database.
+    assert_redirected_to '/articles/secret'
 
     phone.get articles_url
     refute phone.controller.logged_in?
 
-    refute_equal digest, @user.qv_account.password.reload.password_digest
+    tablet.get articles_url
+    refute tablet.controller.logged_in?
+  end
 
-    assert_redirected_to '/articles/secret'
-    assert_equal 'Your password has been changed and you are logged in.', flash[:notice]
+
+  test 'reset code cannot be reused' do
+    assert_emails 1 do
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
+    end
+
+    # type in reset code from email
+    code = extract_code_from_email
+    put quo_vadis.password_reset_path(password: {
+      otp: code,
+      password: 'secretsecret',
+      password_confirmation: 'secretsecret',
+    })
+
+    # The password-reset process is now finished.
+    # Test what happens if reset code is resubmitted with a different password.
+
+    put quo_vadis.password_reset_path(password: {
+      otp: code,
+      password: 'foobarfoobar',
+      password_confirmation: 'foobarfoobar',
+    })
+
+    assert_redirected_to quo_vadis.new_password_reset_path
+    assert_nil flash[:alert]
+    refute @user.qv_account.password.authenticate('foobarfoobar')
+    assert @user.qv_account.password.authenticate('123456789abc')
   end
 
 
@@ -121,16 +163,9 @@ class PasswordResetTest < IntegrationTest
     end
   end
 
-  def extract_url_from_email
-    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
-  end
-
-  def extract_path_from_email
-    extract_url_from_email.sub 'http://www.example.com', ''
-  end
 
-  def extract_token_from_email
-    extract_url_from_email[%r{/([^/]*)$}, 1]
+  def extract_code_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{\d{6}}, 0]
   end
 
 end

data/test/integration/sessions_test.rb

@@ -69,6 +69,22 @@ class SessionsTest < IntegrationTest
   end
 
 
+  test 'non-authentication session data is not removed on logout' do
+    desktop = login
+    session_id = desktop.session.id
+
+    desktop.get secret_articles_path
+    assert_equal 'bar', desktop.session[:foo]
+
+    desktop.delete quo_vadis.logout_path
+    refute desktop.controller.logged_in?
+
+    desktop.get articles_path
+    assert_equal 'bar', desktop.session[:foo]
+    refute_equal session_id, desktop.session.id
+  end
+
+
   private
 
   # starts a new rails session and logs in

data/test/mailers/mailer_test.rb

@@ -12,7 +12,7 @@ class MailerTest < ActionMailer::TestCase
   test 'reset_password' do
     email = QuoVadis::Mailer.with(
       email: 'Foo <foo@example.com>',
-      url: 'http://example.com/pwd-reset/123abc'
+      otp: '314159'
     ).reset_password
 
     assert_emails 1 do
@@ -29,7 +29,7 @@ class MailerTest < ActionMailer::TestCase
   test 'account_confirmation' do
     email = QuoVadis::Mailer.with(
       email: 'Foo <foo@example.com>',
-      url: 'http://example.com/confirm/123abc'
+      otp: 271828
     ).account_confirmation
 
     assert_emails 1 do

data/test/models/account_test.rb

@@ -53,4 +53,52 @@ class AccountTest < ActiveSupport::TestCase
     assert_empty account.sessions
   end
 
+
+  test 'otp_for_confirmation' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+
+    otp = account.otp_for_confirmation(1)
+    assert_match /^\d{6}$/, otp
+    refute_equal otp, account.otp_for_confirmation(2)
+  end
+
+
+  test 'confirm' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+
+    otp = account.otp_for_confirmation(1)
+    refute account.confirm('000000', 1)
+    refute account.confirm(otp, 2)
+
+    assert account.confirm(otp, 1)
+    assert account.confirmed?
+  end
+
+
+  test 'otp_for_password_reset' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+
+    otp = account.otp_for_password_reset(1)
+    assert_match /^\d{6}$/, otp
+    refute_equal otp, account.otp_for_password_reset(2)
+
+    account.password.change('123456789abc', 'secretsecret', 'secretsecret')
+    refute_equal otp, account.otp_for_password_reset(1)
+  end
+
+
+  test 'verify_password_reset' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+
+    otp = account.otp_for_password_reset(1)
+    refute account.verify_password_reset('000000', 1)
+    refute account.verify_password_reset(otp, 2)
+
+    assert account.verify_password_reset(otp, 1)
+  end
+
 end

data/test/models/session_test.rb

@@ -2,6 +2,10 @@ require 'test_helper'
 
 class SessionTest < ActiveSupport::TestCase
 
+  teardown do
+    QuoVadis.session_idle_timeout :lifetime
+  end
+
   test 'expired?' do
     refute QuoVadis::Session.new.expired?
     assert QuoVadis::Session.new(lifetime_expires_at: 1.day.ago).expired?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.11
+  version: 2.2.1
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-14 00:00:00.000000000 Z
+date: 2023-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -90,17 +90,11 @@ files:
 - app/controllers/quo_vadis/twofas_controller.rb
 - app/mailers/quo_vadis/mailer.rb
 - app/models/quo_vadis/account.rb
-- app/models/quo_vadis/account_confirmation_token.rb
 - app/models/quo_vadis/log.rb
 - app/models/quo_vadis/password.rb
-- app/models/quo_vadis/password_reset_token.rb
 - app/models/quo_vadis/recovery_code.rb
 - app/models/quo_vadis/session.rb
-- app/models/quo_vadis/token.rb
 - app/models/quo_vadis/totp.rb
-- app/views/quo_vadis/confirmations/edit.html.erb
-- app/views/quo_vadis/confirmations/edit_email.html.erb
-- app/views/quo_vadis/confirmations/index.html.erb
 - app/views/quo_vadis/confirmations/new.html.erb
 - app/views/quo_vadis/logs/index.html.erb
 - app/views/quo_vadis/mailer/account_confirmation.text.erb
@@ -114,7 +108,6 @@ files:
 - app/views/quo_vadis/mailer/totp_setup_notification.text.erb
 - app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
 - app/views/quo_vadis/password_resets/edit.html.erb
-- app/views/quo_vadis/password_resets/index.html.erb
 - app/views/quo_vadis/password_resets/new.html.erb
 - app/views/quo_vadis/passwords/edit.html.erb
 - app/views/quo_vadis/recovery_codes/challenge.html.erb
@@ -143,6 +136,7 @@ files:
 - lib/quo_vadis/model.rb
 - lib/quo_vadis/version.rb
 - quo_vadis.gemspec
+- test/README.md
 - test/dummy/README.markdown
 - test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
@@ -203,7 +197,6 @@ files:
 - test/models/password_test.rb
 - test/models/recovery_code_test.rb
 - test/models/session_test.rb
-- test/models/token_test.rb
 - test/models/totp_test.rb
 - test/quo_vadis_test.rb
 - test/test_helper.rb
@@ -226,7 +219,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6 and 7.

data/app/models/quo_vadis/account_confirmation_token.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module QuoVadis
-  class AccountConfirmationToken < Token
-    class << self
-
-      def expires_at
-        QuoVadis.account_confirmation_token_lifetime.from_now.to_i
-      end
-
-      def data_for_hmac(data, account)
-        "#{data}-#{account.confirmed?}"
-      end
-
-    end
-  end
-end

data/app/models/quo_vadis/password_reset_token.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module QuoVadis
-  class PasswordResetToken < Token
-    class << self
-
-      def expires_at
-        QuoVadis.password_reset_token_lifetime.from_now.to_i
-      end
-
-      def data_for_hmac(data, account)
-        "#{data}-#{account.password.password_digest}"
-      end
-
-    end
-  end
-end

data/app/models/quo_vadis/token.rb

@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-
-module QuoVadis
-  class Token
-    extend Hmacable
-
-    class << self
-
-      def generate(account)
-        public_data = "#{account.id}-#{expires_at}"
-        data = data_for_hmac public_data, account
-        "#{public_data}--#{compute_hmac(data)}"
-      end
-
-      def find_account(token)
-        provided_public_data, provided_hmac = token.split '--'
-        id, expires_at = provided_public_data.split '-'
-        account = Account.find id
-        data = data_for_hmac provided_public_data, account
-        actual_hmac = compute_hmac data
-        return nil unless timing_safe_eql? provided_hmac, actual_hmac
-        return nil if expires_at.to_i < Time.current.to_i
-        account
-      rescue
-        nil
-      end
-
-      private
-
-      attr_reader :account
-
-      def expires_at
-        raise NotImplementedError
-      end
-
-      def data_for_hmac(public_data, account)
-        raise NotImplementedError
-      end
-
-    end
-  end
-end

data/app/views/quo_vadis/confirmations/edit.html.erb

@@ -1,10 +0,0 @@
-<h1>Confirm account</h1>
-
-<%= form_with url: confirmation_path(params[:token]), method: :put do |f| %>
-
-  <p>
-    <label>Please click the button to confirm your account:</label>
-    <%= f.submit %>
-  </p>
-
-<% end %>

data/app/views/quo_vadis/confirmations/edit_email.html.erb

@@ -1,14 +0,0 @@
-<h1>Account confirmation: change email</h1>
-
-<p>Please update your email address.</p>
-
-<%= form_with url: update_email_confirmations_path, method: :put do |f| %>
-  <p>
-    <%= f.label :email %>
-    <%= f.text_field :email, value: @email, inputmode: 'email', autocomplete: 'email' %>
-  </p>
-
-  <p>
-    <%= f.submit 'Update my email address and send me a new confirmation email' %>
-  </p>
-<% end %>

data/app/views/quo_vadis/confirmations/index.html.erb

@@ -1,14 +0,0 @@
-<h1>Account confirmation</h1>
-
-<% if @account %>
-  <p>We have sent an email to <%= @account.model.email %>.</p>
-
-  <p>Wrong address?  <%= link_to 'Change it', edit_email_confirmations_path %>.</p>
-
-  <p>Didn't receive it?  <%= button_to 'Get another one', resend_confirmations_path %></p>
-
-<% else %>
-  <p>We have sent an email to you.</p>
-
-  <p><%= link_to 'Request a new email', new_confirmation_path %></p>
-<% end %>

data/app/views/quo_vadis/password_resets/index.html.erb

@@ -1,5 +0,0 @@
-<h1>Password reset</h1>
-
-<p>Please check your email.</p>
-
-<p><%= link_to 'Request a new email', new_password_reset_path %></p>

data/test/models/token_test.rb

@@ -1,70 +0,0 @@
-require 'test_helper'
-
-class TokenTest < ActiveSupport::TestCase
-
-  setup do
-    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    @account = u.qv_account
-  end
-
-
-  test 'account confirmation' do
-    token = QuoVadis::AccountConfirmationToken.generate @account
-    assert_match /^\d+-\d+--\h+$/, token
-    assert_equal @account, QuoVadis::AccountConfirmationToken.find_account(token)
-  end
-
-  test 'account confirmation expired' do
-    token = QuoVadis::AccountConfirmationToken.generate @account
-    travel QuoVadis.account_confirmation_token_lifetime + 1.second
-    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
-  end
-
-  test 'account confirmation already done' do
-    token = QuoVadis::AccountConfirmationToken.generate @account
-    @account.confirmed!
-    assert_nil QuoVadis::AccountConfirmationToken.find_account(token)
-  end
-
-  test 'account confirmation token tampered with' do
-    assert_nil QuoVadis::AccountConfirmationToken.find_account(nil)
-    assert_nil QuoVadis::AccountConfirmationToken.find_account('')
-    assert_nil QuoVadis::AccountConfirmationToken.find_account('asdf')
-
-    token = QuoVadis::AccountConfirmationToken.generate @account
-    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
-    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
-    assert_nil QuoVadis::AccountConfirmationToken.find_account(fake_token)
-  end
-
-
-  test 'password reset' do
-    token = QuoVadis::PasswordResetToken.generate @account
-    assert_match /^\d+-\d+--\h+$/, token
-    assert_equal @account, QuoVadis::PasswordResetToken.find_account(token)
-  end
-
-  test 'password reset expired' do
-    token = QuoVadis::PasswordResetToken.generate @account
-    travel QuoVadis.password_reset_token_lifetime + 1.second
-    assert_nil QuoVadis::PasswordResetToken.find_account(token)
-  end
-
-  test 'password reset already done' do
-    token = QuoVadis::PasswordResetToken.generate @account
-    @account.password.reset 'secretsecret', 'secretsecret'
-    assert_nil QuoVadis::PasswordResetToken.find_account(token)
-  end
-
-  test 'password reset token tampered with' do
-    assert_nil QuoVadis::PasswordResetToken.find_account(nil)
-    assert_nil QuoVadis::PasswordResetToken.find_account('')
-    assert_nil QuoVadis::PasswordResetToken.find_account('asdf')
-
-    token = QuoVadis::PasswordResetToken.generate @account
-    id, expires_at, hash = token.match(/^(\d+)-(\d+)--(\h+)$/).captures
-    fake_token = "#{id}-#{expires_at.to_i + 1}--#{hash}"
-    assert_nil QuoVadis::PasswordResetToken.find_account(fake_token)
-  end
-
-end