quo_vadis 2.1.2 → 2.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b81cb83f9cd0b6bb6e9af4015dba59b5cef0f5c3fccd5a82ee6d7e1bbc5768a
-  data.tar.gz: 8a9f5f0c013ec89de6849e9ddb3393fee46b84a2d08b20e606126cf97bba8032
+  metadata.gz: d01da21fdfe58d00e4f073036f53df4e0da212a9b202c31bf9fe9ed162e2e2d5
+  data.tar.gz: f9b7b777065c7b4e1c83ed54330bc08608cc6020f55f1b72d316de5a1e4e06f5
 SHA512:
-  metadata.gz: a7b5e766f22e55e5bc269d00e6fb9132cc54ba2523a72996d0d7da478dbf0662764d29265c591f5847d5f2cfaeaca1e78fb4d48fb8fecb24af0bee9e9c2047e2
-  data.tar.gz: 47bf8bba82c90f3b7527be6a316ec8f9a4b229077a6846454abecebd6d2ae29910f7e416635d9cc1d54e3b99fe87d4c7d0ca871741907f1987d1ee42bf79994b
+  metadata.gz: d3daf72be8a7e1a4545bc8dc7acd77553c62933dd5837e78679a7581cf44356822fbecf4036d5cd8cac5648636a5077e1edd5cb8d6e804ea7c9d55c10b36dc6e
+  data.tar.gz: eee0046f0ae978f537f85946946cb4fe0267fd866216108f226411a3df479cb1b7e9c5c334d120a9107298ce9c30f3b8b6736dcaf6248a9c4a5e23a34962bc2e

data/CHANGELOG.md

@@ -4,6 +4,28 @@
 ## HEAD
 
 
+## 2.1.5 (27 May 2022)
+
+* Order sessions list and display more information.
+* Set status 303 See Other on destroy redirects.
+* Streamline bundler instructions.
+
+
+## 2.1.4 (2 October 2021)
+
+* Allow metadata for login log.
+
+
+## 2.1.3 (30 September 2021)
+
+* Pass IP and timestamp as paramenters to mailer.
+
+
+## 2.1.2 (30 September 2021)
+
+* Delete existing recovery codes when generating new ones.
+
+
 ## 2.1.1 (8 July 2021)
 
 * Remove unnecessary route names.

data/README.md

@@ -37,11 +37,9 @@ Simple to integrate into your application.  The main task is customising the exa
 Add the gem to your Gemfile:
 
 ```ruby
-gem 'quo_vadis', '~> 2.0'
+bundle add 'quo_vadis'
 ```
 
-Then run `bundle install`.
-
 Next, add the database tables:
 
 ```
@@ -119,7 +117,7 @@ end
 
 __`login(model, browser_session = true)`__
 
-To log in a user who has authenticated with a password, call `#login(model, browser_session = true)`.  For the `browser_session` argument, pass `true` to log in for the duration of the browser session, or `false` to log in for `QuoVadis.session_lifetime` (which could be the browser session anyway).
+To log in a user who has authenticated with a password, call `#login(model, browser_session = true, metadata: {})`.  For the `browser_session` argument, optionally pass `true` to log in for the duration of the browser session, or `false` to log in for `QuoVadis.session_lifetime` (which could be the browser session anyway).  Any metadata are stored in the log entry for the login.
 
 __`request_confirmation(model)`__
 

data/app/controllers/quo_vadis/password_resets_controller.rb

@@ -17,7 +17,7 @@ module QuoVadis
 
       if account
         token = QuoVadis::PasswordResetToken.generate account
-        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.password_reset_url(token)
+        QuoVadis.deliver :reset_password, {email: account.model.email, url: quo_vadis.password_reset_url(token)}
       end
 
       redirect_to password_resets_path, notice: QuoVadis.translate('flash.password_reset.create')

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -9,7 +9,7 @@ module QuoVadis
 
     def index
       @qv_session = qv.session
-      @qv_sessions = @qv_session.account.sessions
+      @qv_sessions = @qv_session.account.sessions.new_to_old
     end
 
 
@@ -58,12 +58,12 @@ module QuoVadis
         current_qv_session.account.sessions.destroy params[:id]
         qv.log current_qv_session.account, Log::LOGOUT_OTHER
         flash[:notice] = QuoVadis.translate 'flash.logout.other'
-        redirect_to action: :index
+        redirect_to action: :index, status: :see_other
       else  # this session
         qv.log authenticated_model.qv_account, Log::LOGOUT
         qv.logout
         flash[:notice] = QuoVadis.translate 'flash.logout.self'
-        redirect_to main_app.root_path
+        redirect_to main_app.root_path, status: :see_other
       end
     end
 

data/app/controllers/quo_vadis/twofas_controller.rb

@@ -14,7 +14,7 @@ module QuoVadis
       account.sessions.each &:reset_authenticated_with_second_factor  # OWASP ASV v4.0, 2.8.6
       qv.log account, Log::TWOFA_DEACTIVATED
       QuoVadis.notify :twofa_deactivated_notification, email: authenticated_model.email
-      redirect_to twofa_path, notice: QuoVadis.translate('flash.2fa.invalidated')
+      redirect_to twofa_path, notice: QuoVadis.translate('flash.2fa.invalidated'), status: :see_other
     end
 
     private

data/app/mailers/quo_vadis/mailer.rb

@@ -14,52 +14,52 @@ module QuoVadis
     end
 
     def email_change_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.email_change')
     end
 
     def identifier_change_notification
-      @timestamp = Time.now
+      @timestamp = params[:timestamp]
       @identifier = params[:identifier]
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.identifier_change',
                                                identifier: params[:identifier])
     end
 
     def password_change_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.password_change')
     end
 
     def password_reset_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.password_reset')
     end
 
     def totp_setup_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.totp_setup')
     end
 
     def totp_reuse_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.totp_reuse')
     end
 
     def twofa_deactivated_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.twofa_deactivated')
     end
 
     def recovery_codes_generation_notification
-      @timestamp = Time.now
-      @ip = QuoVadis::CurrentRequestDetails.ip
+      @timestamp = params[:timestamp]
+      @ip = params[:ip]
       _mail params[:email], QuoVadis.translate('mailer.notification.recovery_codes_generation')
     end
 

data/app/models/quo_vadis/session.rb

@@ -9,6 +9,7 @@ module QuoVadis
 
     belongs_to :account
     validates :ip, presence: true
+    scope :new_to_old, -> { order create_at: :desc }
 
     attribute :last_seen_at, :datetime, default: -> { Time.now.utc }
 

data/app/views/quo_vadis/sessions/index.html.erb

@@ -3,6 +3,9 @@
 <table>
   <thead>
     <tr>
+      <th>Signed in</th>
+      <th>Last seen</th>
+      <th>2FA used</th>
       <th>IP</th>
       <th>User agent</th>
       <th></th>
@@ -11,6 +14,9 @@
   <tbody>
     <% @qv_sessions.each do |sess| %>
       <tr>
+        <td><time datetime="<%= sess.created_at.to_formatted_s(:iso_8601) %>"><%= sess.created_at.to_formatted_s('%-d %B %Y') %></time></td>
+        <td><time datetime="<%= sess.last_seen_at.to_formatted_s(:iso_8601) %>"><%= sess.last_seen_at.to_formatted_s('%-d %B %Y') %></time></td>
+        <td><%= sess.second_factor_authenticated? ? 'Yes' : 'No' %></td>
         <td><%= sess.ip %></td>
         <td><%= sess.user_agent %></td>
         <td>

data/lib/quo_vadis/controller.rb

@@ -36,8 +36,8 @@ module QuoVadis
     #
     # browser_session - true: login only for duration of browser session
     #                   false: login for QuoVadis.session_lifetime (which may be browser session anyway)
-    def login(model, browser_session = true)
-      qv.log model.qv_account, Log::LOGIN_SUCCESS
+    def login(model, browser_session = true, metadata: {})
+      qv.log model.qv_account, Log::LOGIN_SUCCESS, metadata
 
       qv.prevent_rails_session_fixation
 
@@ -87,7 +87,7 @@ module QuoVadis
 
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, {email: model.email, url: quo_vadis.confirmation_url(token)}
       session[:account_pending_confirmation] = model.qv_account.id
 
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.1.2'
+  VERSION = '2.1.5'
 end

data/lib/quo_vadis.rb

@@ -73,12 +73,14 @@ module QuoVadis
     end
 
     def notify(action, params)
-      QuoVadis::Mailer.with(params).send(action).deliver_later
+      deliver(action, params, later: true)
     end
 
-    def deliver(action, params)
-      mail = QuoVadis::Mailer.with(params).send(action)
-      QuoVadis.enqueue_transactional_emails ?
+    def deliver(action, params, later: QuoVadis.enqueue_transactional_emails)
+      mail = QuoVadis::Mailer
+        .with(params.merge(ip: QuoVadis::CurrentRequestDetails.ip, timestamp: Time.now))
+        .send(action)
+      later ?
         mail.deliver_later :
         mail.deliver_now
     end

data/quo_vadis.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Andy Stewart']
   spec.email         = ['boss@airbladesoftware.com']
 
-  spec.summary       = 'Multifactor authentication for Rails 6.'
+  spec.summary       = 'Multifactor authentication for Rails 6 and 7.'
   spec.homepage      = 'https://github.com/airblade/quo_vadis'
   spec.license       = 'MIT'
 

data/test/mailers/mailer_test.rb

@@ -44,14 +44,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'email change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').email_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).email_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -62,14 +64,17 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'identifier change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>', identifier: 'email').identifier_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      identifier: 'email',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).identifier_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -80,14 +85,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'password change notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_change_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_change_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -98,14 +105,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'password reset notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_reset_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).password_reset_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -116,14 +125,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'totp setup notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_setup_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_setup_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -134,14 +145,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'totp reuse notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_reuse_notification
+    email = QuoVadis::Mailer.with(
+      email:     'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).totp_reuse_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -152,14 +165,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test '2fa deactivated notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').twofa_deactivated_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).twofa_deactivated_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to
@@ -170,14 +185,16 @@ class MailerTest < ActionMailer::TestCase
 
 
   test 'recovery codes generation notification' do
-    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').recovery_codes_generation_notification
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      ip:        '1.2.3.4',
+      timestamp: Time.now
+    ).recovery_codes_generation_notification
 
     # freeze_time
 
     assert_emails 1 do
-      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
-        email.deliver_now
-      end
+      email.deliver_now
     end
 
     assert_equal ['foo@example.com'], email.to

data/test/models/account_test.rb

@@ -13,8 +13,11 @@ class AccountTest < ActiveSupport::TestCase
 
 
   test 'notifies on identifier change when notifier is not email' do
+    freeze_time
     p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
-    assert_enqueued_email_with QuoVadis::Mailer, :identifier_change_notification, args: {email: 'bob@example.com', identifier: 'username'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :identifier_change_notification,
+      args: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         p.update username: 'robert@example.com'
       end
@@ -23,8 +26,11 @@ class AccountTest < ActiveSupport::TestCase
 
 
   test 'does not notify on identifier change when notifier is email' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         u.update email: 'robert@example.com'
       end

data/test/models/model_test.rb

@@ -58,8 +58,11 @@ class ModelTest < ActiveSupport::TestCase
 
 
   test 'notifies on email change' do
+    freeze_time
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+    assert_enqueued_email_with QuoVadis::Mailer,
+      :email_change_notification,
+      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       u.update email: 'robert@example.com'
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.2
+  version: 2.1.5
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-30 00:00:00.000000000 Z
+date: 2022-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -224,8 +224,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
-summary: Multifactor authentication for Rails 6.
+summary: Multifactor authentication for Rails 6 and 7.
 test_files: []