quo_vadis 1.0.3 → 1.0.4

data/CHANGELOG.md

@@ -0,0 +1,32 @@
+# CHANGELOG
+
+
+## 1.0.4 (22 February 2011)
+
+* Work with Rails' improved CSRF protection.
+* Prevent session fixation attacks.
+
+
+## 1.0.3 (7 February 2011)
+
+* Remember user between browser sessions.
+
+
+## 1.0.2 (27 January 2011)
+
+* Forgotten-password functionality.
+
+
+## 1.0.1 (26 January 2011)
+
+* Configurable layout.
+* Make flash messages optional.
+
+
+## 1.0.0 (25 January 2011)
+
+* Sign in.
+* Sign out.
+* Authenticate actions.
+* Remember URL user wants to view.
+* Hooks for sign in, sign out, failed sign in.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    quo_vadis (1.0.2)
+    quo_vadis (1.0.4)
       bcrypt-ruby (~> 2.1.4)
       rails (~> 3.0)
 
@@ -9,36 +9,36 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.3)
-      actionpack (= 3.0.3)
-      mail (~> 2.2.9)
-    actionpack (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    actionmailer (3.0.4)
+      actionpack (= 3.0.4)
+      mail (~> 2.2.15)
+    actionpack (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4)
       rack (~> 1.2.1)
       rack-mount (~> 0.6.13)
-      rack-test (~> 0.5.6)
+      rack-test (~> 0.5.7)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.3)
-      activesupport (= 3.0.3)
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       i18n (~> 0.4)
-    activerecord (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
-    activeresource (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
-    activesupport (3.0.3)
-    arel (2.0.4)
+    activeresource (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+    activesupport (3.0.4)
+    arel (2.0.8)
     bcrypt-ruby (2.1.4)
     builder (2.1.2)
-    capybara (0.4.1.1)
+    capybara (0.4.1.2)
       celerity (>= 0.7.9)
       culerity (>= 0.2.4)
       mime-types (>= 1.16)
@@ -47,8 +47,8 @@ GEM
       rack-test (>= 0.5.4)
       selenium-webdriver (>= 0.0.27)
       xpath (~> 0.1.3)
-    celerity (0.8.7)
-    childprocess (0.1.6)
+    celerity (0.8.8)
+    childprocess (0.1.7)
       ffi (~> 0.6.3)
     configuration (1.2.0)
     culerity (0.2.15)
@@ -56,14 +56,14 @@ GEM
       abstract (>= 1.0.0)
     ffi (0.6.3)
       rake (>= 0.8.7)
-    i18n (0.4.1)
-    json_pure (1.5.0)
+    i18n (0.5.0)
+    json_pure (1.5.1)
     launchy (0.3.7)
       configuration (>= 0.0.5)
       rake (>= 0.8.1)
-    mail (2.2.10)
+    mail (2.2.15)
       activesupport (>= 2.3.6)
-      i18n (~> 0.4.1)
+      i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.16)
@@ -72,33 +72,33 @@ GEM
     rack (1.2.1)
     rack-mount (0.6.13)
       rack (>= 1.0.0)
-    rack-test (0.5.6)
+    rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.3)
-      actionmailer (= 3.0.3)
-      actionpack (= 3.0.3)
-      activerecord (= 3.0.3)
-      activeresource (= 3.0.3)
-      activesupport (= 3.0.3)
+    rails (3.0.4)
+      actionmailer (= 3.0.4)
+      actionpack (= 3.0.4)
+      activerecord (= 3.0.4)
+      activeresource (= 3.0.4)
+      activesupport (= 3.0.4)
       bundler (~> 1.0)
-      railties (= 3.0.3)
-    railties (3.0.3)
-      actionpack (= 3.0.3)
-      activesupport (= 3.0.3)
+      railties (= 3.0.4)
+    railties (3.0.4)
+      actionpack (= 3.0.4)
+      activesupport (= 3.0.4)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
     rubyzip (0.9.4)
-    selenium-webdriver (0.1.2)
+    selenium-webdriver (0.1.3)
       childprocess (~> 0.1.5)
       ffi (~> 0.6.3)
       json_pure
       rubyzip
     sqlite3-ruby (1.2.5)
     thor (0.14.6)
-    treetop (1.4.8)
+    treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.23)
+    tzinfo (0.3.24)
     xpath (0.1.3)
       nokogiri (~> 1.3)
 
@@ -106,9 +106,8 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bcrypt-ruby (~> 2.1.4)
   capybara (>= 0.4.0)
   launchy
   quo_vadis!
-  rails (~> 3.0)
+  rails (>= 3.0.4)
   sqlite3-ruby

data/README.md

@@ -2,6 +2,8 @@
 
 Quo Vadis adds simple username/password authentication to Rails 3 applications.
 
+Why bother with yet another authentication gem?  Well, I find all the others over-engineered.  Code should be easy to use and easy to read.  As far as I'm concerned, none of the others ticks both boxes.
+
 Features:
 
 * Minimal effort to add authentication to your app: get up and running in 5 minutes.

data/app/controllers/controller_mixin.rb

@@ -3,6 +3,11 @@ module ControllerMixin
     base.helper_method :current_user
   end
 
+  def handle_unverified_request
+    super
+    cookies.delete :remember_me
+  end
+
   private
 
   # Remembers the authenticated <tt>user</tt> (in this session and future sessions).

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -83,6 +83,7 @@ class QuoVadis::SessionsController < ApplicationController
   # and you need to sign them in.  For example, if a new user has just signed up,
   # you should call this method to sign them in.
   def sign_in(user)
+    prevent_session_fixation
     self.current_user = user
     QuoVadis.signed_in_hook user, self
     redirect_to QuoVadis.signed_in_url(user, original_url)
@@ -106,4 +107,14 @@ class QuoVadis::SessionsController < ApplicationController
     QuoVadis.layout
   end
 
+  def prevent_session_fixation # :nodoc:
+    original_flash = flash.inject({}) { |hsh, (k,v)| hsh[k] = v; hsh }
+    original_url = session[:quo_vadis_original_url]
+
+    reset_session
+
+    original_flash.each { |k,v| flash[k] = v }
+    session[:quo_vadis_original_url] = original_url
+  end
+
 end

data/lib/quo_vadis/version.rb

@@ -1,3 +1,3 @@
 module QuoVadis
-  VERSION = '1.0.3'
+  VERSION = '1.0.4'
 end

data/quo_vadis.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'rails',       '~>3.0'
   s.add_dependency 'bcrypt-ruby', '~>2.1.4'
 
+  s.add_development_dependency 'rails', '>=3.0.4'  # so we can test CSRF protection
   s.add_development_dependency 'sqlite3-ruby'
   s.add_development_dependency 'capybara', '>= 0.4.0'
   s.add_development_dependency 'launchy'

data/test/dummy/app/controllers/articles_controller.rb

@@ -8,4 +8,13 @@ class ArticlesController < ApplicationController
   def new
     @article = Article.new
   end
+
+  def create
+    @article = Article.new params[:article]
+    if @article.save
+      redirect_to :action => 'index'
+    else
+      render 'new'
+    end
+  end
 end

data/test/dummy/app/views/articles/new.html.erb

@@ -1 +1,11 @@
 <h1>New Article</h1>
+
+<%= form_for @article do |f| %>
+  <%= f.label :title %>
+  <%= f.text_field :title %>
+
+  <%= f.label :content %>
+  <%= f.text_area :content %>
+
+  <%= f.submit %>
+<% end %>

data/test/dummy/config/environments/test.rb

@@ -17,8 +17,8 @@ Dummy::Application.configure do
   # Raise exceptions instead of rendering exception templates
   config.action_dispatch.show_exceptions = false
 
-  # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
+  # Enable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = true
 
   # Tell Action Mailer not to deliver emails to the real world.
   # The :test delivery method accumulates sent emails in the

data/test/integration/cookie_test.rb

@@ -69,29 +69,4 @@ class CookieTest < ActiveSupport::IntegrationCase
     visit new_article_path
     assert_equal sign_in_path, current_path
   end
-
-
-  #
-  # Code below from https://github.com/nruth/show_me_the_cookies
-  #
-
-  def delete_cookie(cookie_name)
-    cookie_jar.instance_variable_get(:@cookies).reject! do |existing_cookie|
-      existing_cookie.name.downcase == cookie_name
-    end
-  end
-
-  def get_cookie(cookie_name)
-    cookie_jar.instance_variable_get(:@cookies).select do |existing_cookie|
-      existing_cookie.name.downcase == cookie_name
-    end.first
-  end
-
-  def cookie_jar
-    Capybara.current_session.driver.current_session.instance_variable_get(:@rack_mock_session).cookie_jar
-  end
-
-  def close_browser
-    delete_cookie Rails.application.config.session_options[:key]
-  end
 end

data/test/integration/csrf_test.rb

@@ -0,0 +1,41 @@
+require 'test_helper'
+
+class CsrfTest < ActionController::IntegrationTest
+  setup do
+    reset_quo_vadis_configuration
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    user_factory 'Bob', 'bob', 'secret'
+    # sign in
+    post sign_in_path, :username => 'bob', :password => 'secret'
+    get new_article_path
+    assert_equal new_article_path, path
+
+    # mimic closing browser
+    session.clear
+
+    # assert remember me cookie is still set
+    assert !cookies['remember_me'].blank?
+
+    # go to new article page, to start new session, and create article
+    get_via_redirect new_article_path
+    assert_equal new_article_path, path
+    assert_difference 'Article.count' do
+      post articles_path, :article => {:title => 'My article'}, :authenticity_token => session[:_csrf_token]
+    end
+
+    # assert remember me cookie is still set
+    assert !cookies['remember_me'].blank?
+
+    # make unverified request
+    assert_no_difference 'Article.count' do
+      post articles_path, :article => {:title => 'My article'}, :authenticity_token => 'INVALID'
+    end
+
+    # assert we are signed out, both at session level and cookie level.
+    assert cookies['remember_me'].blank?
+    get_via_redirect new_article_path
+    assert_equal sign_in_path, path
+  end
+end

data/test/test_helper.rb

@@ -54,3 +54,28 @@ def reset_quo_vadis_configuration
   QuoVadis.subject               = 'Change your password'
   QuoVadis.remember_for          = 2.weeks
 end
+
+
+#
+# Code below from https://github.com/nruth/show_me_the_cookies
+#
+
+def delete_cookie(cookie_name)
+  cookie_jar.instance_variable_get(:@cookies).reject! do |existing_cookie|
+    existing_cookie.name.downcase == cookie_name
+  end
+end
+
+def get_cookie(cookie_name)
+  cookie_jar.instance_variable_get(:@cookies).select do |existing_cookie|
+    existing_cookie.name.downcase == cookie_name
+  end.first
+end
+
+def cookie_jar
+  Capybara.current_session.driver.current_session.instance_variable_get(:@rack_mock_session).cookie_jar
+end
+
+def close_browser
+  delete_cookie Rails.application.config.session_options[:key]
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: quo_vadis
 version: !ruby/object:Gem::Version 
-  hash: 17
+  hash: 31
   prerelease: false
   segments: 
   - 1
   - 0
-  - 3
-  version: 1.0.3
+  - 4
+  version: 1.0.4
 platform: ruby
 authors: 
 - Andy Stewart
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-02-07 00:00:00 +00:00
+date: 2011-02-22 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -50,9 +50,25 @@ dependencies:
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency 
-  name: sqlite3-ruby
+  name: rails
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 3
+        - 0
+        - 4
+        version: 3.0.4
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: sqlite3-ruby
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -62,11 +78,11 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id003
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: capybara
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -78,11 +94,11 @@ dependencies:
         - 0
         version: 0.4.0
   type: :development
-  version_requirements: *id004
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: launchy
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ">="
@@ -92,7 +108,7 @@ dependencies:
         - 0
         version: "0"
   type: :development
-  version_requirements: *id005
+  version_requirements: *id006
 description: Simple username/password authentication for Rails 3.
 email: 
 - boss@airbladesoftware.com
@@ -104,6 +120,7 @@ extra_rdoc_files: []
 
 files: 
 - .gitignore
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - README.md
@@ -178,6 +195,7 @@ files:
 - test/integration/authenticate_test.rb
 - test/integration/config_test.rb
 - test/integration/cookie_test.rb
+- test/integration/csrf_test.rb
 - test/integration/forgotten_test.rb
 - test/integration/helper_test.rb
 - test/integration/locale_test.rb
@@ -280,6 +298,7 @@ test_files:
 - test/integration/authenticate_test.rb
 - test/integration/config_test.rb
 - test/integration/cookie_test.rb
+- test/integration/csrf_test.rb
 - test/integration/forgotten_test.rb
 - test/integration/helper_test.rb
 - test/integration/locale_test.rb