quo_vadis 2.1.5 → 2.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d01da21fdfe58d00e4f073036f53df4e0da212a9b202c31bf9fe9ed162e2e2d5
-  data.tar.gz: f9b7b777065c7b4e1c83ed54330bc08608cc6020f55f1b72d316de5a1e4e06f5
+  metadata.gz: d11498bfa66e0397304c2d9a0f8ac504037f97beac4fd039fe6c8d0299696531
+  data.tar.gz: 2d1e267c7b55740c72087e297960ff6ececb1caee45a17eb588bf7e44ba64d31
 SHA512:
-  metadata.gz: d3daf72be8a7e1a4545bc8dc7acd77553c62933dd5837e78679a7581cf44356822fbecf4036d5cd8cac5648636a5077e1edd5cb8d6e804ea7c9d55c10b36dc6e
-  data.tar.gz: eee0046f0ae978f537f85946946cb4fe0267fd866216108f226411a3df479cb1b7e9c5c334d120a9107298ce9c30f3b8b6736dcaf6248a9c4a5e23a34962bc2e
+  metadata.gz: e4e7c7bb2996556b35b153c56916aef9834dcac2abea08ede8becc14e030d8f4ea1444f9286c1ca9b728c1a13c16d8d9b2e701255d57b769c7dc9abefa84a976
+  data.tar.gz: f466404a5ba44bfd506cbcd2fdc7b2f2d142ecab419363e3c368bb5eca67cfc78829afa698b8b0dc1cc76210b531a32a44c3bfdcd1ae709cf9eafe740861f089

data/CHANGELOG.md

@@ -4,6 +4,23 @@
 ## HEAD
 
 
+## 2.1.8 (18 June 2022)
+
+* Extract convenience method for has authentication account.
+* Only authenticating models react to email change.
+
+
+## 2.1.7 (30 May 2022)
+
+* Use SHA256 digest for encryption.
+* Use <time> element in logs view.
+
+
+## 2.1.6 (30 May 2022)
+
+* Fix typo in session scope.
+
+
 ## 2.1.5 (27 May 2022)
 
 * Order sessions list and display more information.

data/README.md

@@ -1,6 +1,6 @@
 # Quo Vadis
 
-Multifactor authentication for your Rails 6 app.
+Multifactor authentication for your Rails 6 or Rails 7 app.
 
 Designed in accordance with the [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and relevant [OWASP Cheatsheets](https://cheatsheetseries.owasp.org).
 
@@ -537,6 +537,6 @@ If you don't want a specific flash message at all, give the key an empty value i
 
 ## Intellectual Property
 
-Copyright 2011-2021 Andrew Stewart (boss@airbladesoftware.com).
+Copyright 2011-2022 Andrew Stewart (boss@airbladesoftware.com).
 
 Released under the MIT licence.

data/app/models/quo_vadis/session.rb

@@ -9,7 +9,7 @@ module QuoVadis
 
     belongs_to :account
     validates :ip, presence: true
-    scope :new_to_old, -> { order create_at: :desc }
+    scope :new_to_old, -> { order created_at: :desc }
 
     attribute :last_seen_at, :datetime, default: -> { Time.now.utc }
 

data/app/views/quo_vadis/logs/index.html.erb

@@ -12,7 +12,7 @@
   <tbody>
     <% @logs.each do |log| %>
       <tr>
-        <td><%= log.created_at %></td>
+        <td><time datetime="<%= log.created_at.to_formatted_s(:iso8601) %>"><%= log.created_at.to_formatted_s('%-d %B %Y') %></time></td>
         <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
         <td><%= log.ip %></td>
         <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>

data/lib/quo_vadis/crypt.rb

@@ -8,7 +8,7 @@ module QuoVadis
       return '' if value == ''
 
       salt = SecureRandom.hex KEY_LENGTH
-      crypt = encryptor key(salt)
+      crypt = encryptor salt
       ciphertext = crypt.encrypt_and_sign value
       [salt, ciphertext].join SEPARATOR
     end
@@ -18,7 +18,7 @@ module QuoVadis
       return '' if value == ''
 
       salt, data = value.split SEPARATOR
-      crypt = encryptor key(salt)
+      crypt = encryptor salt
       crypt.decrypt_and_verify(data)
     end
 
@@ -27,12 +27,18 @@ module QuoVadis
     KEY_LENGTH = ActiveSupport::MessageEncryptor.key_len
     SEPARATOR = '$$'
 
-    def self.encryptor(key)
-      ActiveSupport::MessageEncryptor.new(key)
+    def self.encryptor(salt)
+      key_sha256 = key salt, OpenSSL::Digest::SHA256
+      key_sha1   = key salt, OpenSSL::Digest::SHA1
+      ActiveSupport::MessageEncryptor.new(key_sha256).tap { |crypt|
+        crypt.rotate key_sha1
+      }
     end
 
-    def self.key(salt)
-      ActiveSupport::KeyGenerator.new(secret).generate_key(salt, KEY_LENGTH)
+    def self.key(salt, hash_digest_class)
+      ActiveSupport::KeyGenerator
+        .new(secret, hash_digest_class: hash_digest_class)
+        .generate_key(salt, KEY_LENGTH)
     end
 
     def self.secret

data/lib/quo_vadis/model.rb

@@ -14,7 +14,7 @@ module QuoVadis
 
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
 
-        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
+        before_validation :qv_copy_identifier_to_account, if: :has_authentication_account?
 
         validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
 
@@ -29,8 +29,8 @@ module QuoVadis
           qv_account.identifier = send identifier
         end
 
-        after_update :qv_log_email_change, if: :saved_change_to_email?
-        after_update :qv_notify_email_change, if: :saved_change_to_email?
+        after_update :qv_log_email_change,    if: [:has_authentication_account?, :saved_change_to_email?]
+        after_update :qv_notify_email_change, if: [:has_authentication_account?, :saved_change_to_email?]
 
         QuoVadis.register_model self.name, identifier
       end
@@ -57,6 +57,10 @@ module QuoVadis
         qv_account.revoke
       end
 
+      def has_authentication_account?
+        !!qv_account
+      end
+
       private
 
       def qv_copy_password_errors

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.1.5'
+  VERSION = '2.1.8'
 end

data/test/integration/sessions_test.rb

@@ -54,7 +54,7 @@ class SessionsTest < IntegrationTest
     phone.get quo_vadis.sessions_path
     phone.assert_response :success
     phone.assert_select 'td', 'This session'
-    phone.assert_select 'td input[type=submit][value="Log out"]', 1
+    phone.assert_select 'td button[type=submit]', text: 'Log out', count: 1
 
     # on phone, log out the desktop session
     phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)

data/test/models/crypt_test.rb

@@ -4,6 +4,13 @@ class CryptTest < ActiveSupport::TestCase
 
   setup do
     @crypt = QuoVadis::Crypt
+
+    @crypt_sha1 = Class.new(QuoVadis::Crypt) do
+      def self.encryptor(salt)
+        key_sha1 = key salt, OpenSSL::Digest::SHA1
+        ActiveSupport::MessageEncryptor.new key_sha1
+      end
+    end
   end
 
   test 'round trip' do
@@ -19,4 +26,16 @@ class CryptTest < ActiveSupport::TestCase
     refute_equal ciphertext, @crypt.encrypt(plaintext)
   end
 
+  test 'rotation' do
+    # This test only works if our test Rails contains this commit:
+    # https://github.com/rails/rails/commit/447e28347eb46e2ad5dc625de616152bd1b69a32
+    return unless ActiveSupport::KeyGenerator.respond_to? :hash_digest_class
+
+    plaintext = 'the quick brown fox'
+    # Encrypt with SHA1 digest
+    ciphertext_sha1 = @crypt_sha1.encrypt plaintext
+    # Ensure code can decrypt it.
+    assert_equal plaintext, @crypt.decrypt(ciphertext_sha1)
+  end
+
 end

data/test/models/model_test.rb

@@ -66,4 +66,14 @@ class ModelTest < ActiveSupport::TestCase
       u.update email: 'robert@example.com'
     end
   end
+
+
+  test 'does not notify or log on email change when no account' do
+    u = User.create! name: 'bob', email: 'bob@example.com'
+    assert_no_difference 'QuoVadis::Log.count' do
+      assert_no_enqueued_emails do
+        u.update email: 'robert@example.com'
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.5
+  version: 2.1.8
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-27 00:00:00.000000000 Z
+date: 2022-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails