quo_vadis 2.2.5 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6a07996a9ca5d95f789060694cf9a1be4d2bc7c8e585f7a60c1e3c883eec1e7
-  data.tar.gz: 350e447a8897c4af8b0bad19971b23bc7d551ca348d4cb1ae0d6ff713f928883
+  metadata.gz: 99defadc14bc4d695dccfad2f131ea6817ae931b1af1a65cc2418a5c3dbe1444
+  data.tar.gz: 2585f246fe58c479cee88852a155aa66d1ae4ff3f18f9c353216529a096a1f75
 SHA512:
-  metadata.gz: 8461e1e31a53a02073b281d99028b0b25839764746d986e7e3325b5c5e8763d4b34cc48b1ae69064405022341fb76101488dc11f3229e8d0d3afcf236beb02fc
-  data.tar.gz: 508ebf170a8abe591c8217a68390b9e11ec0204b86412e87b86ead2e84b3e0fcab2886aa22897a2d4266d43370cc42c25938a4e92c3073bf042d695278dff761
+  metadata.gz: 04a76b0961a32febb4860656ba4a45faaeec652c3174450393583c3667af51950b55f8c9995b123ee135396c442da607512541d8dd01c6cedbfb279f736085aa
+  data.tar.gz: e38c400e9a0151691616e522218954d76347fec42cfa479d240166d8bdae95c75cd00d7e56cb4a92c8ec7da7a53b45b6847b1b942df3043f7ddc49bed1ecef56

data/CHANGELOG.md

@@ -4,6 +4,19 @@
 ## HEAD
 
 
+## 2.3.0 (18 November 2025)
+
+* Upon confirmation redirect to original path.
+* Remove concept of after_signup route.
+* Enable OTP to be given in i18n mailer subject.
+
+
+## 2.2.6 (17 November 2025)
+
+* Make permitting of password updates explicit.
+* Feature-detect method rather than module for normalisation.
+
+
 ## 2.2.5 (14 April 2025)
 
 * Normalise identifier value for lookup.

data/README.md

@@ -59,6 +59,8 @@ Finally, copy the example views across:
 rails generate quo_vadis:install
 ```
 
+You may find that you need to eager load your code in development so that your model's / models' `#authenticates` call(s) executes straightaway.  This method registers your model(s) with QuoVadis, which needs to happen before you can do any authentication-related things such as reset your password.
+
 
 ## Usage
 
@@ -195,15 +197,15 @@ Your new user sign-up form ([example](https://github.com/airblade/quo_vadis/blob
 
 In your controller, use the [`#login`](#loginmodel-browser_session--true-metadata-) method to log in your new user.  The optional second argument specifies for how long the user should be logged in, and any metadata you supply is logged in the audit log.
 
-After logging in the user, redirect them wherever you like.  You can use `qv.path_after_signup` which resolves to the first of these routes that exists: `:after_signup`, `:after_login`, the root route.
+After logging in the user, redirect them wherever you like as normal.
 
 ```ruby
 class UsersController < ApplicationController
   def create
     @user = User.new user_params
     if @user.save
-      login @user
-      redirect_to qv.path_after_signup
+      login @user  # <-- add this
+      redirect_to dashboard_path
     else
       # ...
     end
@@ -217,21 +219,15 @@ class UsersController < ApplicationController
 end
 ```
 
-```ruby
-# config/routes.rb
-get '/dashboard', as: 'after_login'
-```
-
-
 ### Sign up with account confirmation
 
 Follow the steps above for sign-up.
 
-After you have logged in the user and redirected them (to any page which requires being logged in), QuoVadis detects that they need to confirm their account.  QuoVadis emails them a 6-digit confirmation code and redirects them to the confirmation page where they can enter that code.
+After you have logged in the user and redirected them, QuoVadis detects that they need to confirm their account.  QuoVadis emails them a 6-digit confirmation code and redirects them to the confirmation page where they can enter that code.
 
 The confirmation code is valid for `QuoVadis.account_confirmation_otp_lifetime`.
 
-Once the user has confirmed their account, they will be redirected to `qv.path_after_signup` which resolves to the first of these routes that exists: `:after_signup`, `:after_login`, the root route.  Add whichever works best for you.
+Once the user has confirmed their account, they will be redirected to the page they requested before they were redirected to the confirmation page.
 
 You need to write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@otp` variable.  See the [Configuration](#configuration) section for how to set QuoVadis's emails' from addresses, headers, etc.
 
@@ -553,7 +549,7 @@ get '/profile',           to: 'profiles#show',   as: 'after_password_change'
 
 ### I18n
 
-All QuoVadis' flash messages are set via [i18n](https://github.com/airblade/quo_vadis/blob/master/config/locales/quo_vadis.en.yml).
+All QuoVadis' text (flash messages, mail subjects, and log messages) is set via [i18n](https://github.com/airblade/quo_vadis/blob/master/config/locales/quo_vadis.en.yml).
 
 You can override any of the messages with your own locale file at `config/locales/quo_vadis.en.yml`.
 

data/app/controllers/quo_vadis/confirmations_controller.rb

@@ -7,7 +7,7 @@ module QuoVadis
       @account = find_pending_account_from_session
 
       unless @account
-        redirect_to qv.path_after_signup, alert: QuoVadis.translate('flash.confirmation.unknown')
+        redirect_to qv.path_after_authentication, alert: QuoVadis.translate('flash.confirmation.unknown')
       end
     end
 
@@ -16,7 +16,7 @@ module QuoVadis
       @account = find_pending_account_from_session
 
       unless @account
-        redirect_to qv.path_after_signup, alert: QuoVadis.translate('flash.confirmation.unknown')
+        redirect_to qv.path_after_authentication, alert: QuoVadis.translate('flash.confirmation.unknown')
         return
       end
 
@@ -39,7 +39,7 @@ module QuoVadis
       session.delete :account_pending_confirmation
       session.delete :account_confirmation_expires_at
 
-      redirect_to qv.path_after_signup, notice: QuoVadis.translate('flash.confirmation.confirmed')
+      redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.confirmation.confirmed')
     end
 
 
@@ -47,7 +47,7 @@ module QuoVadis
       @account = find_pending_account_from_session
 
       unless @account
-        redirect_to qv.path_after_signup, alert: QuoVadis.translate('flash.confirmation.unknown')
+        redirect_to qv.path_after_authentication, alert: QuoVadis.translate('flash.confirmation.unknown')
       end
 
       qv.request_confirmation @account.model

data/app/mailers/quo_vadis/mailer.rb

@@ -5,12 +5,12 @@ module QuoVadis
 
     def reset_password
       @otp = params[:otp]
-      _mail params[:email], QuoVadis.translate('mailer.password_reset.subject')
+      _mail params[:email], QuoVadis.translate('mailer.password_reset.subject', otp: params[:otp])
     end
 
     def account_confirmation
       @otp = params[:otp]
-      _mail params[:email], QuoVadis.translate('mailer.confirmation.subject')
+      _mail params[:email], QuoVadis.translate('mailer.confirmation.subject', otp: params[:otp])
     end
 
     def email_change_notification

data/app/models/quo_vadis/password.rb

@@ -7,12 +7,14 @@ module QuoVadis
     has_secure_password
 
     validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
-    validate :password_updated_legitimately, on: :update
+    validate :permitted_update, on: :update
 
     attr_accessor :new_password
 
 
     def change(current_plaintext, new_plaintext, new_plaintext_confirmation)
+      permit_password_update
+
       unless authenticate current_plaintext
         errors.add :password, :incorrect
         return false
@@ -38,6 +40,8 @@ module QuoVadis
 
 
     def reset(new_plaintext, new_plaintext_confirmation)
+      permit_password_update
+
       # has_secure_password ignores empty passwords ("") on update so reject them here.
       if new_plaintext.empty?
         errors.add :password, :blank
@@ -56,18 +60,19 @@ module QuoVadis
 
     private
 
-    def password_updated_legitimately
-      return unless password_digest_changed?
+    def permit_password_update
+      @permit_password_update = true
+    end
 
-      unless change_or_reset_called?
-        errors.add :password, 'must be updated via #change or #reset'
-      end
+    def permit_password_update?
+      @permit_password_update
     end
 
-    def change_or_reset_called?
-      caller_locations.any? { |loc|
-        ['change', 'reset'].include?(loc.label) && Pathname.new(loc.path).basename.to_s == 'password.rb'
-      }
+    def permitted_update
+      return unless password_digest_changed?
+      return if permit_password_update?
+
+      errors.add :password, 'must be updated via #change or #reset'
     end
   end
 end

data/config/locales/quo_vadis.en.yml

@@ -35,9 +35,9 @@ en:
         invalidated: You have invalidated your 2FA credentials and recovery codes.
     mailer:
       password_reset:
-        subject: Change your password
+        subject: Your password reset code is %{otp}
       confirmation:
-        subject: Please confirm your account
+        subject: Your account confirmation code is %{otp}
       notification:
         email_change: Your email address has been changed
         identifier_change: Your %{identifier} has been changed

data/lib/quo_vadis/controller.rb

@@ -34,6 +34,7 @@ module QuoVadis
       if logged_in?
         if QuoVadis.accounts_require_confirmation && !authenticated_model.qv_account.confirmed?
           qv.request_confirmation authenticated_model
+          session[:qv_bookmark] = request.original_fullpath
           redirect_to quo_vadis.confirm_path
         end
         return
@@ -217,13 +218,6 @@ module QuoVadis
         Log.create account: account, action: action, ip: request.remote_ip, metadata: metadata
       end
 
-      def path_after_signup
-        return main_app.after_signup_path if main_app.respond_to?(:after_signup_path)
-        return main_app.after_login_path  if main_app.respond_to?(:after_login_path)
-        return main_app.root_path         if main_app.respond_to?(:root_path)
-        raise RuntimeError, 'Missing routes: after_signup_path, after_login_path, root_path; define at least one of them.'
-      end
-
       def path_after_authentication
         if (bookmark = rails_session[:qv_bookmark])
           rails_session.delete :qv_bookmark

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.2.5'
+  VERSION = '2.3.0'
 end

data/lib/quo_vadis.rb

@@ -53,7 +53,7 @@ module QuoVadis
       identifier = detect_identifier params.keys
       value = params[identifier]
 
-      return value unless defined?(ActiveRecord::Normalization)
+      return value unless ApplicationRecord.respond_to? :normalize_value_for
 
       klass = model_of(identifier.to_sym).constantize
       klass.normalize_value_for(identifier.to_sym, value)

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -24,11 +24,6 @@ class SignUpsController < ApplicationController
     @user = User.find params[:id]
   end
 
-  def confirmed
-    # Here we could send an email.
-    redirect_to after_login_path
-  end
-
   private
 
   def user_params

data/test/dummy/config/routes.rb

@@ -1,6 +1,5 @@
 Rails.application.routes.draw do
   resources :users
-  get '/sign_ups/confirmed', to: 'sign_ups#confirmed', as: 'after_signup'
   resources :sign_ups
   resources :articles do
     collection do

data/test/integration/account_confirmation_test.rb

@@ -30,8 +30,6 @@ class AccountConfirmationTest < IntegrationTest
     post quo_vadis.confirm_path(otp: code)
 
     # verify logged in
-    assert_redirected_to '/sign_ups/confirmed'
-    follow_redirect!
     assert_redirected_to '/articles/secret'
     assert_equal 'Thanks for confirming your account.', flash[:notice]
     assert QuoVadis::Account.last.confirmed?
@@ -64,7 +62,7 @@ class AccountConfirmationTest < IntegrationTest
 
     post quo_vadis.confirm_path(otp: code)
     assert_equal 'You have already confirmed your account.', flash[:alert]
-    assert_redirected_to '/sign_ups/confirmed'
+    assert_redirected_to '/articles/secret'
   end
 
 

data/test/mailers/mailer_test.rb

@@ -21,7 +21,7 @@ class MailerTest < ActionMailer::TestCase
 
     assert_equal ['foo@example.com'], email.to
     assert_equal ['bar@example.com'], email.from
-    assert_equal 'Change your password', email.subject
+    assert_equal 'Your password reset code is 314159', email.subject
     assert_equal read_fixture('reset_password.text').join, email.body.to_s
   end
 
@@ -38,7 +38,7 @@ class MailerTest < ActionMailer::TestCase
 
     assert_equal ['foo@example.com'], email.to
     assert_equal ['bar@example.com'], email.from
-    assert_equal 'Please confirm your account', email.subject
+    assert_equal 'Your account confirmation code is 271828', email.subject
     assert_equal read_fixture('account_confirmation.text').join, email.body.to_s
   end
 

data/test/models/account_test.rb

@@ -17,7 +17,7 @@ class AccountTest < ActiveSupport::TestCase
     p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
     assert_enqueued_email_with QuoVadis::Mailer,
       :identifier_change_notification,
-      args: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', identifier: 'username', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         p.update username: 'robert@example.com'
       end
@@ -30,7 +30,7 @@ class AccountTest < ActiveSupport::TestCase
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     assert_enqueued_email_with QuoVadis::Mailer,
       :email_change_notification,
-      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       assert_enqueued_emails 1 do
         u.update email: 'robert@example.com'
       end

data/test/models/model_test.rb

@@ -63,7 +63,7 @@ class ModelTest < ActiveSupport::TestCase
     u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     assert_enqueued_email_with QuoVadis::Mailer,
       :email_change_notification,
-      args: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
+      params: {email: 'bob@example.com', ip: nil, timestamp: Time.now} do
       u.update email: 'robert@example.com'
     end
   end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.2.5
+  version: 2.3.0
 platform: ruby
 authors:
 - Andy Stewart
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-14 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -66,7 +65,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-description:
 email:
 - boss@airbladesoftware.com
 executables: []
@@ -206,7 +204,6 @@ homepage: https://github.com/airblade/quo_vadis
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -221,8 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Multifactor authentication for Rails.
 test_files: []