quo_vadis 2.1.6 → 2.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ae53bae73aaf968a8edec5148304394b411eace9c0df39069c6b240e90a6ea9
-  data.tar.gz: 4980707b8a6670298f0d99f7f1a554767c12323055d5103057c3028837da49af
+  metadata.gz: 3776f82ebb4987586131a44692de5891ec821e7e82a1de249fc3d8905ef551d8
+  data.tar.gz: 6914f2e05d50ffbd9451d6e50484674d7bb775d2d871922749cc4be1553e35a6
 SHA512:
-  metadata.gz: 00f025682cb8623ff02713e15bf25fdcc8c2a2964273bbc9f450f562375d18dd508ae1e729657cfa2275f2cb92672ef75b278edf8dbebd75cb2d6064d6c974b9
-  data.tar.gz: c017aa443847c3d62dd17e8e384f50db13e11f63189008787be7d896ebc80a362318328139537859d8613a240607362ef2bd81c5022a99a358086f77d079bedf
+  metadata.gz: 5229c567fe09a76fad025b0dea0fc36192defd24e04077374816cfb99414b6a9cc3213e8410f5ee23fedb297d1b157d64345c317d646d1226655c5e60e50c1ac
+  data.tar.gz: 0ace7c8c5c1075eec8a54aa31ba01564a8a9ff0fec23387650a00a1721affca7c9326e083ac9f26a8afdd04bee6f6e8a748ae1c9bbf5b4e9d3b005804362afe6

data/CHANGELOG.md

@@ -4,6 +4,23 @@
 ## HEAD
 
 
+## 2.1.9 (13 September 2022)
+
+* Enable code to be run after sign up.
+
+
+## 2.1.8 (18 June 2022)
+
+* Extract convenience method for has authentication account.
+* Only authenticating models react to email change.
+
+
+## 2.1.7 (30 May 2022)
+
+* Use SHA256 digest for encryption.
+* Use <time> element in logs view.
+
+
 ## 2.1.6 (30 May 2022)
 
 * Fix typo in session scope.
@@ -23,7 +40,7 @@
 
 ## 2.1.3 (30 September 2021)
 
-* Pass IP and timestamp as paramenters to mailer.
+* Pass IP and timestamp as parameters to mailer.
 
 
 ## 2.1.2 (30 September 2021)

data/README.md

@@ -1,6 +1,6 @@
 # Quo Vadis
 
-Multifactor authentication for your Rails 6 app.
+Multifactor authentication for your Rails 6 or Rails 7 app.
 
 Designed in accordance with the [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and relevant [OWASP Cheatsheets](https://cheatsheetseries.owasp.org).
 
@@ -177,7 +177,7 @@ Your new user sign-up form ([example](https://github.com/airblade/quo_vadis/blob
 
 In your controller, use the `#login` method to log in your new user.  The optional second argument sets the length of the session (defaults to the browser session) - see the description above in the Controllers section).
 
-After logging in the user, redirect them to `qv.path_after_authentication` which resolves to a route named `:after_login`, if you have one, or your root route.
+After logging in the user, redirect them wherever you like.  You can use `qv.path_after_signup` which resolves to the first of these routes that exists: `:after_signup`, `:after_login`, the root route.
 
 ```ruby
 class UsersController < ApplicationController
@@ -185,7 +185,7 @@ class UsersController < ApplicationController
     @user = User.new user_params
     if @user.save
       login @user
-      redirect_to qv.path_after_authentication
+      redirect_to qv.path_after_signup
     else
       # ...
     end
@@ -258,10 +258,7 @@ Next, write the page where the user can amend their email address if they made a
 
 Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
 
-After the user has confirmed their account, they will be logged in and redirected to the first of these that exists:
-
-- a route named `:after_login`;
-- your root route.
+After the user has confirmed their account, they will be logged in and redirected to `qv.path_after_signup` which resolves to the first of these routes that exists: `:after_signup`, `:after_login`, the root route.
 
 So add whichever works best for you.
 
@@ -518,12 +515,13 @@ end
 
 __Routes__
 
-You can set up your post-authentication and post-password-change routes.  If you don't, you must have a root route.  For example:
+You can set up your post-signup, post-authentication, and post-password-change routes.  If you don't, you must have a root route.  For example:
 
 ```ruby
 # config/routes.rb
-get '/dashboard', to: 'dashboards#show', as: 'after_login'
-get '/profile',   to: 'profiles#show',   as: 'after_password_change'
+get '/signups/confirmed', to: 'dashboards#show', as: 'after_signup'
+get '/dashboard',         to: 'dashboards#show', as: 'after_login'
+get '/profile',           to: 'profiles#show',   as: 'after_password_change'
 ```
 
 ### I18n
@@ -537,6 +535,6 @@ If you don't want a specific flash message at all, give the key an empty value i
 
 ## Intellectual Property
 
-Copyright 2011-2021 Andrew Stewart (boss@airbladesoftware.com).
+Copyright 2011-2022 Andrew Stewart (boss@airbladesoftware.com).
 
 Released under the MIT licence.

data/app/controllers/quo_vadis/confirmations_controller.rb

@@ -51,7 +51,7 @@ module QuoVadis
       session.delete :account_pending_confirmation
 
       login account.model, true
-      redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.confirmation.confirmed')
+      redirect_to qv.path_after_signup, notice: QuoVadis.translate('flash.confirmation.confirmed')
     end
 
 

data/app/views/quo_vadis/logs/index.html.erb

@@ -12,7 +12,7 @@
   <tbody>
     <% @logs.each do |log| %>
       <tr>
-        <td><%= log.created_at %></td>
+        <td><time datetime="<%= log.created_at.to_formatted_s(:iso8601) %>"><%= log.created_at.to_formatted_s('%-d %B %Y') %></time></td>
         <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
         <td><%= log.ip %></td>
         <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>

data/lib/quo_vadis/controller.rb

@@ -192,6 +192,13 @@ module QuoVadis
         Log.create account: account, action: action, ip: request.remote_ip, metadata: metadata
       end
 
+      def path_after_signup
+        return main_app.after_signup_path if main_app.respond_to?(:after_signup_path)
+        return main_app.after_login_path  if main_app.respond_to?(:after_login_path)
+        return main_app.root_path         if main_app.respond_to?(:root_path)
+        raise RuntimeError, 'Missing routes: after_signup_path, after_login_path, root_path; define at least one of them.'
+      end
+
       def path_after_authentication
         if (bookmark = rails_session[:qv_bookmark])
           rails_session.delete :qv_bookmark

data/lib/quo_vadis/crypt.rb

@@ -8,7 +8,7 @@ module QuoVadis
       return '' if value == ''
 
       salt = SecureRandom.hex KEY_LENGTH
-      crypt = encryptor key(salt)
+      crypt = encryptor salt
       ciphertext = crypt.encrypt_and_sign value
       [salt, ciphertext].join SEPARATOR
     end
@@ -18,7 +18,7 @@ module QuoVadis
       return '' if value == ''
 
       salt, data = value.split SEPARATOR
-      crypt = encryptor key(salt)
+      crypt = encryptor salt
       crypt.decrypt_and_verify(data)
     end
 
@@ -27,12 +27,18 @@ module QuoVadis
     KEY_LENGTH = ActiveSupport::MessageEncryptor.key_len
     SEPARATOR = '$$'
 
-    def self.encryptor(key)
-      ActiveSupport::MessageEncryptor.new(key)
+    def self.encryptor(salt)
+      key_sha256 = key salt, OpenSSL::Digest::SHA256
+      key_sha1   = key salt, OpenSSL::Digest::SHA1
+      ActiveSupport::MessageEncryptor.new(key_sha256).tap { |crypt|
+        crypt.rotate key_sha1
+      }
     end
 
-    def self.key(salt)
-      ActiveSupport::KeyGenerator.new(secret).generate_key(salt, KEY_LENGTH)
+    def self.key(salt, hash_digest_class)
+      ActiveSupport::KeyGenerator
+        .new(secret, hash_digest_class: hash_digest_class)
+        .generate_key(salt, KEY_LENGTH)
     end
 
     def self.secret

data/lib/quo_vadis/model.rb

@@ -14,7 +14,7 @@ module QuoVadis
 
         has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
 
-        before_validation :qv_copy_identifier_to_account, if: Proc.new { |m| m.qv_account }
+        before_validation :qv_copy_identifier_to_account, if: :has_authentication_account?
 
         validate :qv_copy_password_errors, if: Proc.new { |m| m.qv_account&.password }
 
@@ -29,8 +29,8 @@ module QuoVadis
           qv_account.identifier = send identifier
         end
 
-        after_update :qv_log_email_change, if: :saved_change_to_email?
-        after_update :qv_notify_email_change, if: :saved_change_to_email?
+        after_update :qv_log_email_change,    if: [:has_authentication_account?, :saved_change_to_email?]
+        after_update :qv_notify_email_change, if: [:has_authentication_account?, :saved_change_to_email?]
 
         QuoVadis.register_model self.name, identifier
       end
@@ -57,6 +57,10 @@ module QuoVadis
         qv_account.revoke
       end
 
+      def has_authentication_account?
+        !!qv_account
+      end
+
       private
 
       def qv_copy_password_errors

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.1.6'
+  VERSION = '2.1.9'
 end

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -26,6 +26,11 @@ class SignUpsController < ApplicationController
     @user = User.find params[:id]
   end
 
+  def confirmed
+    # Here we could send an email.
+    redirect_to after_login_path
+  end
+
   private
 
   def user_params

data/test/dummy/config/routes.rb

@@ -1,5 +1,6 @@
 Rails.application.routes.draw do
   resources :users
+  get '/sign_ups/confirmed', to: 'sign_ups#confirmed', as: 'after_signup'
   resources :sign_ups
   resources :articles do
     collection do

data/test/integration/account_confirmation_test.rb

@@ -33,6 +33,8 @@ class AccountConfirmationTest < IntegrationTest
     put action_path
 
     # verify logged in
+    assert_redirected_to '/sign_ups/confirmed'
+    follow_redirect!
     assert_redirected_to '/articles/secret'
     assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
     assert controller.logged_in?
@@ -101,6 +103,8 @@ class AccountConfirmationTest < IntegrationTest
 
     put extract_path_from_email
 
+    assert_redirected_to '/sign_ups/confirmed'
+    follow_redirect!
     assert_redirected_to '/articles/secret'
     assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
 

data/test/integration/sessions_test.rb

@@ -54,7 +54,7 @@ class SessionsTest < IntegrationTest
     phone.get quo_vadis.sessions_path
     phone.assert_response :success
     phone.assert_select 'td', 'This session'
-    phone.assert_select 'td input[type=submit][value="Log out"]', 1
+    phone.assert_select 'td button[type=submit]', text: 'Log out', count: 1
 
     # on phone, log out the desktop session
     phone.delete quo_vadis.session_path(QuoVadis::Session.first.id)

data/test/models/crypt_test.rb

@@ -4,6 +4,13 @@ class CryptTest < ActiveSupport::TestCase
 
   setup do
     @crypt = QuoVadis::Crypt
+
+    @crypt_sha1 = Class.new(QuoVadis::Crypt) do
+      def self.encryptor(salt)
+        key_sha1 = key salt, OpenSSL::Digest::SHA1
+        ActiveSupport::MessageEncryptor.new key_sha1
+      end
+    end
   end
 
   test 'round trip' do
@@ -19,4 +26,16 @@ class CryptTest < ActiveSupport::TestCase
     refute_equal ciphertext, @crypt.encrypt(plaintext)
   end
 
+  test 'rotation' do
+    # This test only works if our test Rails contains this commit:
+    # https://github.com/rails/rails/commit/447e28347eb46e2ad5dc625de616152bd1b69a32
+    return unless ActiveSupport::KeyGenerator.respond_to? :hash_digest_class
+
+    plaintext = 'the quick brown fox'
+    # Encrypt with SHA1 digest
+    ciphertext_sha1 = @crypt_sha1.encrypt plaintext
+    # Ensure code can decrypt it.
+    assert_equal plaintext, @crypt.decrypt(ciphertext_sha1)
+  end
+
 end

data/test/models/model_test.rb

@@ -66,4 +66,14 @@ class ModelTest < ActiveSupport::TestCase
       u.update email: 'robert@example.com'
     end
   end
+
+
+  test 'does not notify or log on email change when no account' do
+    u = User.create! name: 'bob', email: 'bob@example.com'
+    assert_no_difference 'QuoVadis::Log.count' do
+      assert_no_enqueued_emails do
+        u.update email: 'robert@example.com'
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.6
+  version: 2.1.9
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-30 00:00:00.000000000 Z
+date: 2022-09-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6 and 7.