quo_vadis 2.2.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e9808f4e29d96b1c9deac895bb45ebacbeb046928f22851fe618593abb49fa4
-  data.tar.gz: 38980863633e441f4c5d28c2fe03e5d8e6357afc4f4ddd4546f4492205aee48c
+  metadata.gz: f5f77cea22311c350e1a0671c147db092e3e6c46164a468bff88904eb5fdb742
+  data.tar.gz: 03f0d04ea03e4e84b45d83fb494959a02f0483b5fd145ff550200fdbb6639ab6
 SHA512:
-  metadata.gz: cb68d8909ca3343ed508dbe5c0510860a358cb39398d2bb5b91f999c6a74935e8bb09d41a27de5bcdc1a3061cb280865ce146fa168fa88690fc37f030cd83a78
-  data.tar.gz: 6b5e022eab6f659dd4620117595c9ff9b9527f532d6963b732d149db4316f833626cca40f5e89cd7b8071ebea7e87ff64462c71c8104628b033447debec7a2a2
+  metadata.gz: b96e1e5398ded302e9efb69c6e268307606535fc63346acc4faf0443098eb500c97daa107be2ccced4151078c90aac9917a72e037023aeea7cf460a7c706dde8
+  data.tar.gz: 6de70ddbe36d8c5334d1a6ab95da333ab59d28a98a0c1a57ca1c47e1375a156df5c689fbc66f90e70ea44d3e46e2a9af3ad4b4b8a7d8e86fd6ed27e2055ab5e4

data/CHANGELOG.md

@@ -4,13 +4,27 @@
 ## HEAD
 
 
+## 2.2.2 (30 April 2024)
+
+* Do not update last activity time for ActiveStorage (#23).
+* Fix login success-flash to not be reset (#37).
+* Add issue numbers to changelog entries.
+
+
+## 2.2.1 (1 August 2023)
+
+* Do not clear application session data on logout (#34).
+* Use 'email' type for email input fields.
+* Document how to log out.
+
+
 ## 2.2.0 (17 April 2023)
 
 * Improve the readme with internal links and more section headings.
-* Rename `password_reset_token_lifetime` to `password_reset_otp_lifetime`.
-* Use OTP instead of link for password reset.
-* Rename `account_confirmation_token_lifetime` to `account_confirmation_otp_lifetime`.
-* Use OTP instead of link for account confirmation.
+* Rename `password_reset_token_lifetime` to `password_reset_otp_lifetime` (#28).
+* Use OTP instead of link for password reset (#28).
+* Rename `account_confirmation_token_lifetime` to `account_confirmation_otp_lifetime` (#28).
+* Use OTP instead of link for account confirmation (#28).
 
 
 ## 2.1.11 (14 September 2022)
@@ -20,18 +34,18 @@
 
 ## 2.1.10 (14 September 2022)
 
-* Enable configuration of mailer superclass.
+* Enable configuration of mailer superclass (#30).
 
 
 ## 2.1.9 (13 September 2022)
 
-* Enable code to be run after sign up.
+* Enable code to be run after sign up (#29).
 
 
 ## 2.1.8 (18 June 2022)
 
-* Extract convenience method for has authentication account.
-* Only authenticating models react to email change.
+* Extract convenience method for has authentication account (#26).
+* Only authenticating models react to email change (#26).
 
 
 ## 2.1.7 (30 May 2022)
@@ -47,7 +61,7 @@
 
 ## 2.1.5 (27 May 2022)
 
-* Order sessions list and display more information.
+* Order sessions list and display more information (#25).
 * Set status 303 See Other on destroy redirects.
 * Streamline bundler instructions.
 
@@ -59,7 +73,7 @@
 
 ## 2.1.3 (30 September 2021)
 
-* Pass IP and timestamp as parameters to mailer.
+* Pass IP and timestamp as parameters to mailer (#24).
 
 
 ## 2.1.2 (30 September 2021)
@@ -71,8 +85,8 @@
 
 * Remove unnecessary route names.
 * Add user revocation.
-* Ensure password is only updated via #change or #reset.
-* Move views into gem's app/views/ directory.
+* Ensure password is only updated via #change or #reset (#15).
+* Move views into gem's app/views/ directory (#22).
 
 
 ## 2.1.0 (25 June 2021)
@@ -90,8 +104,8 @@
 
 ## 2.0.2 (24 May 2021)
 
-* Account confirmation: enable updating of email address.
-* Account confirmation: enable direct resending of email.
+* Account confirmation: enable updating of email address (#21).
+* Account confirmation: enable direct resending of email (#21).
 * Log unknown identifier in metadata.
 
 

data/README.md

@@ -171,7 +171,7 @@ Your new user sign-up form ([example](https://github.com/airblade/quo_vadis/blob
 - a field for their identifier;
 - an `:email` field if the identifier is not their email.
 
-In your controller, use the [`#login`](#loginmodel-browser_session-%3D-true) method to log in your new user.  The optional second argument specifies for how long the user should be logged in, and any metadata you supply is logged in the audit log.
+In your controller, use the [`#login`](#loginmodel-browser_session--true-metadata-) method to log in your new user.  The optional second argument specifies for how long the user should be logged in, and any metadata you supply is logged in the audit log.
 
 After logging in the user, redirect them wherever you like.  You can use `qv.path_after_signup` which resolves to the first of these routes that exists: `:after_signup`, `:after_login`, the root route.
 
@@ -238,6 +238,40 @@ After authenticating the user will be redirected to the first of these that exis
 - your root route.
 
 
+### Logout
+
+Send a DELETE request to `quo_vadis.logout_path`.  For example:
+
+```ruby
+button_to 'Log out', quo_vadis.logout_path, method: :delete
+```
+
+Note you are responsible for removing any application session data you want removed.  To do so, subclass `QuoVadis::SessionsController` and override the `destroy` method:
+
+```ruby
+# app/controllers/custom_sessions_controller.rb
+class CustomSessionsController < QuoVadis::SessionsController
+  def destroy
+    reset_session
+    super
+  end
+end
+```
+
+Add a route:
+
+```ruby
+# config/routes.rb
+delete 'logout', to: 'custom_sessions#destroy'
+```
+
+And then point your log out button at your custom action:
+
+```ruby
+button_to 'Log out', main_app.logout_path, method: :delete
+```
+
+
 ### Two-factor authentication (2FA) or Two-step verification (2SV)
 
 If you do not want 2FA at all, set `QuoVadis.two_factor_authentication_mandatory false` in your configuration and skip the rest of this section.
@@ -490,6 +524,6 @@ If you don't want a specific flash message at all, give the key an empty value i
 
 ## Intellectual Property
 
-Copyright 2011-2022 Andrew Stewart (boss@airbladesoftware.com).
+Copyright Andrew Stewart (boss@airbladesoftware.com).
 
 Released under the MIT licence.

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -39,10 +39,10 @@ module QuoVadis
       #    params[:remember] == 1 => use QuoVadis.session_lifetime
       browser_session = params[:remember] == '0'
 
-      flash[:notice] = QuoVadis.translate 'flash.login.success'
-
       login account.model, browser_session
 
+      flash[:notice] = QuoVadis.translate 'flash.login.success'
+
       redirect_to qv.path_after_authentication
     end
 

data/app/views/quo_vadis/password_resets/new.html.erb

@@ -3,7 +3,7 @@
 <%= form_with url: password_reset_path, method: :post do |f| %>
   <p>
     <%= f.label :email %>
-    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+    <%= f.text_field :email, type: 'email', inputmode: 'email', autocomplete: 'email' %>
   </p>
 
   <p>

data/app/views/quo_vadis/sessions/new.html.erb

@@ -3,7 +3,7 @@
 <%= form_with url: login_path, method: :post do |f| %>
   <p>
     <%= f.label :email %>
-    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+    <%= f.text_field :email, type: 'email', inputmode: 'email', autocomplete: 'email' %>
   </p>
 
   <p>

data/lib/quo_vadis/controller.rb

@@ -11,7 +11,13 @@ module QuoVadis
       # Remember the last activity time so we can timeout idle sessions.
       # This has to be done after that timestamp is checked (in `#authenticated_model`)
       # otherwise sessions could never look idle.
-      base.after_action { |controller| controller.qv.touch_session_last_seen_at }
+      #
+      # Ignores ActiveStorage requests.
+      base.after_action { |controller|
+        if !defined?(::ActiveStorage) || !controller.class.module_parents.include?(::ActiveStorage)
+          controller.qv.touch_session_last_seen_at
+        end
+      }
     end
 
 
@@ -190,7 +196,7 @@ module QuoVadis
       def logout
         session&.destroy
         clear_session_id
-        reset_session
+        prevent_rails_session_fixation
         controller.instance_variable_set :@authenticated_model, nil
       end
 

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.2.0'
+  VERSION = '2.2.2'
 end

data/test/README.md

@@ -0,0 +1,6 @@
+# Testing
+
+Run tests with:
+
+    bundle exec rails test
+

data/test/dummy/app/controllers/articles_controller.rb

@@ -6,6 +6,7 @@ class ArticlesController < ApplicationController
   end
 
   def secret
+    session[:foo] = 'bar'
   end
 
   def also_secret

data/test/integration/sessions_test.rb

@@ -69,6 +69,22 @@ class SessionsTest < IntegrationTest
   end
 
 
+  test 'non-authentication session data is not removed on logout' do
+    desktop = login
+    session_id = desktop.session.id
+
+    desktop.get secret_articles_path
+    assert_equal 'bar', desktop.session[:foo]
+
+    desktop.delete quo_vadis.logout_path
+    refute desktop.controller.logged_in?
+
+    desktop.get articles_path
+    assert_equal 'bar', desktop.session[:foo]
+    refute_equal session_id, desktop.session.id
+  end
+
+
   private
 
   # starts a new rails session and logs in

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.2
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-17 00:00:00.000000000 Z
+date: 2024-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -136,6 +136,7 @@ files:
 - lib/quo_vadis/model.rb
 - lib/quo_vadis/version.rb
 - quo_vadis.gemspec
+- test/README.md
 - test/dummy/README.markdown
 - test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
@@ -218,7 +219,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6 and 7.