RubyGems - quo_vadis - Versions diffs - 2.2.4 → 2.2.6 - Mend

quo_vadis 2.2.4 → 2.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +12 -0
data/README.md +3 -1
data/app/models/quo_vadis/password.rb +15 -10
data/lib/quo_vadis/version.rb +1 -1
data/lib/quo_vadis.rb +12 -1
data/quo_vadis.gemspec +1 -1
data/test/dummy/app/models/user.rb +2 -0
data/test/models/account_test.rb +2 -2
data/test/models/model_test.rb +6 -5
data/test/quo_vadis_test.rb +2 -2
metadata +4 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d059bd573146f59fff8f4fff1ef953c4da0bff83b07125efafadfd40334a9a8
-  data.tar.gz: 744bd5ac56082016453309608721c76e37dcb8827f1c7111102d8a0d06961608
+  metadata.gz: 793c8183dd6e61c69255ca9e13a9726949591cbc4e3dda9890fb213848819dea
+  data.tar.gz: a01e34b058359d91dac594c617a2c55550f16f2e607a9b254f2087eab9eadc10
 SHA512:
-  metadata.gz: 746819329e2b544e00ca92ccf75cd5293f58160da3243db0c0d6b9dba6d70fde94e59492fd2d73387e20d5f60487dbb98f56eb8c618573215a6b9efd027b4442
-  data.tar.gz: caf55aa31161fe96980ab58b2a3d477202e03b80fa2a4a684477bfb6f3aef4c4033ff670b03f2d434cbda45ff4bc23291d288b196440f372545c1eaccd89732f
+  metadata.gz: b5c29de9d14f2d2d14e4fcefa04379b0135c5720b27df6d3762c30503e121cb811f1e0248a76d589580931f953367c04f810d286df15204abe2c52b2df1c82cb
+  data.tar.gz: 9afd5eb09d2b91db1a5c3023e2c2b4fccd545231b39188fa95acebab677549dc642a657797b8c2e59b83b00595ce21083ffeadf0be2f4c17aa09e64496a9a672

data/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,18 @@
 ## HEAD
+## 2.2.6 (17 November 2025)
+* Make permitting of password updates explicit.
+* Feature-detect method rather than module for normalisation.
+## 2.2.5 (14 April 2025)
+* Normalise identifier value for lookup.
+* Tweak summary of project.
 ## 2.2.4 (25 June 2024)
 * Add logged-{in, out} routing constraints.

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Quo Vadis
-Multifactor authentication for your Rails app (Rails 7 and Rails 6).
+Multifactor authentication for your Rails app (backwards-compatible to Rails 6).
 Designed in accordance with the [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and relevant [OWASP Cheatsheets](https://cheatsheetseries.owasp.org).
@@ -59,6 +59,8 @@ Finally, copy the example views across:
 rails generate quo_vadis:install
 ```
+You may find that you need to eager load your code in development so that your model's / models' `#authenticates` call(s) executes straightaway.  This method registers your model(s) with QuoVadis, which needs to happen before you can do any authentication-related things such as reset your password.
 ## Usage

data/app/models/quo_vadis/password.rb CHANGED Viewed

@@ -7,12 +7,14 @@ module QuoVadis
     has_secure_password
     validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
-    validate :password_updated_legitimately, on: :update
+    validate :permitted_update, on: :update
     attr_accessor :new_password
     def change(current_plaintext, new_plaintext, new_plaintext_confirmation)
+      permit_password_update
       unless authenticate current_plaintext
         errors.add :password, :incorrect
         return false
@@ -38,6 +40,8 @@ module QuoVadis
     def reset(new_plaintext, new_plaintext_confirmation)
+      permit_password_update
       # has_secure_password ignores empty passwords ("") on update so reject them here.
       if new_plaintext.empty?
         errors.add :password, :blank
@@ -56,18 +60,19 @@ module QuoVadis
     private
-    def password_updated_legitimately
-      return unless password_digest_changed?
+    def permit_password_update
+      @permit_password_update = true
+    end
-      unless change_or_reset_called?
-        errors.add :password, 'must be updated via #change or #reset'
-      end
+    def permit_password_update?
+      @permit_password_update
     end
-    def change_or_reset_called?
-      caller_locations.any? { |loc|
-        ['change', 'reset'].include?(loc.label) && Pathname.new(loc.path).basename.to_s == 'password.rb'
-      }
+    def permitted_update
+      return unless password_digest_changed?
+      return if permit_password_update?
+      errors.add :password, 'must be updated via #change or #reset'
     end
   end
 end

data/lib/quo_vadis/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module QuoVadis
-  VERSION = '2.2.4'
+  VERSION = '2.2.6'
 end

data/lib/quo_vadis.rb CHANGED Viewed

@@ -51,7 +51,12 @@ module QuoVadis
     def identifier_value_in_params(params)
       identifier = detect_identifier params.keys
-      params[identifier]
+      value = params[identifier]
+      return value unless ApplicationRecord.respond_to? :normalize_value_for
+      klass = model_of(identifier.to_sym).constantize
+      klass.normalize_value_for(identifier.to_sym, value)
     end
     # model - string class name, e.g. 'User'
@@ -94,10 +99,16 @@ module QuoVadis
     private
+    # key - model name, e.g. "User"
+    # value - identifier, e.g. :email
     def models
       @models ||= {}
     end
+    def model_of(identifier)
+      models.rassoc(identifier).first
+    end
     def detect_identifier(candidates)
       (identifiers.map(&:to_s) & candidates.map(&:to_s)).first
     end

data/quo_vadis.gemspec CHANGED Viewed

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Andy Stewart']
   spec.email         = ['boss@airbladesoftware.com']
-  spec.summary       = 'Multifactor authentication for Rails 6 and 7.'
+  spec.summary       = 'Multifactor authentication for Rails.'
   spec.homepage      = 'https://github.com/airblade/quo_vadis'
   spec.license       = 'MIT'

data/test/dummy/app/models/user.rb CHANGED Viewed

@@ -2,5 +2,7 @@ class User < ApplicationRecord
   validates :name, presence: true
   validates :email, presence: true, uniqueness: {case_sensitive: false}
+  normalizes :email, with: -> { _1.strip.downcase }
   authenticates
 end

data/test/models/account_test.rb CHANGED Viewed

@@ -17,7 +17,7 @@ class AccountTest < ActiveSupport::TestCase
     p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
     assert_enqueued_email_with QuoVadis::Mailer,
       :identifier_change_notification,
-      args: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         p.update username: 'robert@example.com'
       end
@@ -30,7 +30,7 @@ class AccountTest < ActiveSupport::TestCase
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     assert_enqueued_email_with QuoVadis::Mailer,
       :email_change_notification,
-      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         u.update email: 'robert@example.com'
       end

data/test/models/model_test.rb CHANGED Viewed

@@ -29,14 +29,15 @@ class ModelTest < ActiveSupport::TestCase
   test 'copies model identifier to account' do
-    email = 'bob@example.com'
+    email = ' Bob@example.com  '
     u = User.create! name: 'bob', email: email, password: '123456789abc'
-    assert_equal email, u.qv_account.identifier
+    # email is normalized
+    assert_equal "bob@example.com", u.qv_account.identifier
-    email = 'b@foo.com'
+    email = 'b@FOO.com  '
     u.update email: email
     u.qv_account.reload
-    assert_equal email, u.qv_account.identifier
+    assert_equal "b@foo.com", u.qv_account.identifier
     u.update name: nil, email: 'xyz'  # nil name is invalid
     u.qv_account.reload
@@ -62,7 +63,7 @@ class ModelTest < ActiveSupport::TestCase
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     assert_enqueued_email_with QuoVadis::Mailer,
       :email_change_notification,
-      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       u.update email: 'robert@example.com'
     end
   end

data/test/quo_vadis_test.rb CHANGED Viewed

@@ -35,9 +35,9 @@ class QuoVadisTest < ActiveSupport::TestCase
   test 'find_account_by_identifier_in_params' do
-    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    u = User.create! name: 'bob', email: ' Bob@example.com ', password: '123456789abc'
     assert_equal u.qv_account,
-      QuoVadis.find_account_by_identifier_in_params({'foo' => 'bar', 'email' => 'bob@example.com', 'commit' => 'Save'})
+      QuoVadis.find_account_by_identifier_in_params({'foo' => 'bar', 'email' => '  BOB@example.com ', 'commit' => 'Save'})
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.2.4
+  version: 2.2.6
 platform: ruby
 authors:
 - Andy Stewart
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-25 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -66,7 +65,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-description:
 email:
 - boss@airbladesoftware.com
 executables: []
@@ -206,7 +204,6 @@ homepage: https://github.com/airblade/quo_vadis
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -221,8 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.7.2
 specification_version: 4
-summary: Multifactor authentication for Rails 6 and 7.
+summary: Multifactor authentication for Rails.
 test_files: []