quo_vadis 2.0.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db2382851913e7455425f7014c13fe2f88eeb19209077c042507b948bef37426
-  data.tar.gz: da813baac8751b9cbc998c403b824c40eb7b2bf5e9710cde7c88fef0c0a0255f
+  metadata.gz: 9ed3f9c506465f26124edf6207abe8bd40d8a87587d779c9789a882eb3894153
+  data.tar.gz: 9fb0294a48aef63132e359c97529e9547d3f6e6425ebcd734b2eff08a385fe2f
 SHA512:
-  metadata.gz: 837432b39ed54b1150d6982bf0385a923a908fe089a8c20b8753a256764d4d76c47da8588c14a99ae76622508cc7f727d1c4589f9a2f6f9870420310283ac6fd
-  data.tar.gz: 3c90dbeac8aea06b5eef1cd1afd51097e6228e15a5bdd9984e030d27888ff63fdb61721b4f40d41fc0dad3a91f9f044052fbecca598795395891581880c7f9dd
+  metadata.gz: a40cb588843f7e78d186e3203ac082e7238ceb21ced56393b26822b353797f214cd4d0bc77242a1d51d4e197a6ca95f2d0b6eebd97a8f730bda48eb2f86c9c3b
+  data.tar.gz: 826424470205327161484deff2aa1a031fd7426bf189c493488a9223fbe542b32ea47c89faa6b732fc3fe9d02da6bcd59cd7d31d042b9a30b775e3fae9229c34

data/.gitignore

@@ -9,3 +9,4 @@
 /test/dummy/log/
 /test/dummy/tmp/
 /test/dummy/db/*.sqlite3
+Gemfile.lock

data/CHANGELOG.md

@@ -1,6 +1,13 @@
 # CHANGELOG
 
 
+## 2.0.1 (18 May 2021)
+
+* Remove Gemfile.lock from repo.
+* Move runtime dependencies into gemspec.
+* Include test files in gem package (so views can be installed).
+
+
 ## 2.0.0 (14 May 2021)
 
 * Total rewrite from scratch.

data/Gemfile

@@ -7,10 +7,7 @@ gemspec
 
 gem "rake", "~> 13.0"
 
-gem "rails", ">= 6"  # from rodauth-rails
 gem 'sqlite3'
 gem 'capybara'
-gem 'rotp'
-gem 'rqrcode'
 
 # gem "minitest", "~> 5.0"

data/README.md

@@ -45,8 +45,7 @@ Then run `bundle install`.
 Next, add the database tables:
 
 ```
-$ rails quo_vadis:install:migrations
-$ rails db:migrate
+rails quo_vadis:install:migrations && rails db:migrate
 ```
 
 All the database tables are prefixed with `qv_`.
@@ -54,7 +53,7 @@ All the database tables are prefixed with `qv_`.
 Finally, copy the example views across:
 
 ```
-$ rails generate quo_vadis:install
+rails generate quo_vadis:install
 ```
 
 
@@ -218,7 +217,7 @@ Here's the workflow:
 4. [Account-confirmation confirmation page] The user clicks a button to confirm their account.  (This step is to prevent any link prefetching in the user's mail client from confirming them unintentionally.)
 5. QuoVadis confirms the user's account and logs them in.
 
-Your new user sign-up form ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/users/new.html.erb)) must include:
+Your new user sign-up form ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/sign_ups/new.html.erb)) must include:
 
 - a `:password` field;
 - optionally a `:password_confirmation` field;
@@ -492,7 +491,7 @@ For example, the default login path is at `/login`.  If you set `mount_point` to
 You must also configure the mailer host so URLs are generated correctly in emails:
 
 ```ruby
-config.action_mailer.default_url_options: { host: 'example.com }
+config.action_mailer.default_url_options: { host: 'example.com' }
 ```
 
 Finally, you can set up your post-authentication and post-password-change routes.  If you don't, you must have a root route.  For example:

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.0.0'
+  VERSION = '2.0.1'
 end

data/quo_vadis.gemspec

@@ -15,10 +15,12 @@ Gem::Specification.new do |spec|
   # spec.required_ruby_version = Gem::Requirement.new('>= 2.4.0')
 
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+    `git ls-files -z`.split("\x0")
   end
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'rails', '>= 6'
-  spec.add_dependency 'bcrypt', '~> 3.1.7'
+  spec.add_dependency 'rails',   '>= 6'
+  spec.add_dependency 'bcrypt',  '~> 3.1.7'
+  spec.add_dependency 'rotp',    '>= 6'
+  spec.add_dependency 'rqrcode', '~> 2.0'
 end

data/test/dummy/README.markdown

@@ -0,0 +1 @@
+Only authenticated users can view articles.

data/test/dummy/Rakefile

@@ -0,0 +1,3 @@
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/dummy/app/controllers/articles_controller.rb

@@ -0,0 +1,17 @@
+class ArticlesController < ApplicationController
+  before_action :require_authentication, except: :index
+  before_action :require_two_factor_authentication, only: :very_secret
+
+  def index
+  end
+
+  def secret
+  end
+
+  def also_secret
+  end
+
+  def very_secret
+  end
+
+end

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -0,0 +1,42 @@
+# To test sign-ups with confirmation (activation / verification)
+class SignUpsController < ApplicationController
+
+  around_action :toggle_confirmation
+
+  def new
+    @user = User.new
+  end
+
+
+  def create
+    @user = User.new user_params
+    if @user.save
+      if QuoVadis.accounts_require_confirmation
+        request_confirmation @user
+        redirect_to sign_up_path(@user)
+      else
+        redirect_to articles_path
+      end
+    else
+      render :new
+    end
+  end
+
+  def show
+    @user = User.find params[:id]
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:name, :email, :password, :password_confirmation)
+  end
+
+  def toggle_confirmation
+    QuoVadis.accounts_require_confirmation true
+    yield
+  ensure
+    QuoVadis.accounts_require_confirmation false
+  end
+
+end

data/test/dummy/app/controllers/users_controller.rb

@@ -0,0 +1,25 @@
+# To test creating users without activation
+class UsersController < ApplicationController
+
+  def new
+    @user = User.new
+  end
+
+  def create
+    @user = User.new user_params
+    if @user.save
+      # NOTE to login the user here, do this:
+      # login @user, true
+      redirect_to articles_path
+    else
+      render :new
+    end
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:name, :email, :password, :password_confirmation)
+  end
+
+end

data/test/dummy/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/test/dummy/app/models/article.rb

@@ -0,0 +1,3 @@
+class Article < ApplicationRecord
+  validates :title, presence: true
+end

data/test/dummy/app/models/person.rb

@@ -0,0 +1,6 @@
+class Person < ApplicationRecord
+  validates :username, presence: true, uniqueness: {case_sensitive: false}
+  validates :email, presence: true, uniqueness: {case_sensitive: false}
+
+  authenticates identifier: :username
+end

data/test/dummy/app/models/user.rb

@@ -0,0 +1,6 @@
+class User < ApplicationRecord
+  validates :name, presence: true
+  validates :email, presence: true, uniqueness: {case_sensitive: false}
+
+  authenticates
+end

data/test/dummy/app/views/articles/also_secret.html.erb

@@ -0,0 +1 @@
+<p>Also-secret Articles</p>

data/test/dummy/app/views/articles/index.html.erb

@@ -0,0 +1 @@
+<p>Public Articles</p>

data/test/dummy/app/views/articles/secret.html.erb

@@ -0,0 +1 @@
+<p>Secret Articles</p>

data/test/dummy/app/views/articles/very_secret.html.erb

@@ -0,0 +1,2 @@
+<p>Very Secret Articles</p>
+

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,46 @@
+<html>
+  <head>
+    <meta charset="utf-8">
+    <%= csrf_meta_tags %>
+    <style>
+      nav {
+        border-bottom: 1px solid #ddd;
+        padding: 10px 0;
+      }
+      nav span {
+        margin: 0 5px;
+      }
+      main {
+        margin-top: 20px;
+      }
+    </style>
+  </head>
+  <body>
+    <nav>
+      <% if logged_in? %>
+        <span>Logged in as: <%= authenticated_model.email %></span>
+        <span><%= link_to 'Sessions', quo_vadis.sessions_path %></span>
+        <span><%= link_to 'Change password', quo_vadis.edit_password_path %></span>
+        <span><%= link_to '2FA', quo_vadis.twofa_path %></span>
+        <span><%= link_to 'Logs', quo_vadis.logs_path %></span>
+        <span><%= button_to 'Log out', quo_vadis.logout_path, method: :delete, form: {style: 'display:inline-block'} %></span>
+      <% else %>
+        <span><%= link_to 'Add user (without confirmation)', main_app.new_user_path %></span>
+        <span><%= link_to 'Sign up (with confirmation)', main_app.new_sign_up_path %></span>
+        <span><%= link_to 'Log in', quo_vadis.login_path %></span>
+      <% end %>
+    </nav>
+
+    <main>
+      <section>
+        <% %w[notice alert].select { |k| flash.key? k }.each do |k| %>
+          <div class="flash flash-<%= k %>">
+            <%= flash[k] %>
+          </div>
+        <% end %>
+      </section>
+
+      <%= yield %>
+    </main>
+  </body>
+</html>

data/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb

@@ -0,0 +1,10 @@
+<h1>Confirm account</h1>
+
+<%= form_with url: confirmation_path(params[:token]), method: :put do |f| %>
+
+  <p>
+    <label>Please click the button to confirm your account:</label>
+    <%= f.submit %>
+  </p>
+
+<% end %>

data/test/dummy/app/views/quo_vadis/confirmations/index.html.erb

@@ -0,0 +1,5 @@
+<h1>Account confirmation</h1>
+
+<p>Please check your email.</p>
+
+<p><%= link_to 'Request a new email', new_confirmation_path %></p>

data/test/dummy/app/views/quo_vadis/confirmations/new.html.erb

@@ -0,0 +1,16 @@
+<h1>Resend confirmation instructions</h1>
+
+<%# Note that in this example the User identifier is :email. %>
+
+<p>If you didn't receive the confirmation email, please enter your email address and we'll send you another one.</p>
+
+<%= form_with url: confirmations_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/test/dummy/app/views/quo_vadis/logs/index.html.erb

@@ -0,0 +1,28 @@
+<h1>Logs</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>Action</th>
+      <th>IP</th>
+      <th>Metadata</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @logs.each do |log| %>
+      <tr>
+        <td><%= log.action %></td>
+        <td><%= log.ip %></td>
+        <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<% if @prev_page %>
+  <%= link_to 'Newer', logs_path(page: @prev_page) %>
+<% end %>
+
+<% if @next_page %>
+  <%= link_to 'Older', logs_path(page: @next_page) %>
+<% end %>

data/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb

@@ -0,0 +1,4 @@
+You can confirm your account here:
+
+<%= @url %>
+

data/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your email address was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your <%= @identifier %> was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was reset just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb

@@ -0,0 +1,8 @@
+Recovery codes for two-factor authentication were generated for your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb

@@ -0,0 +1,4 @@
+You can reset your password here:
+
+<%= @url %>
+

data/test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb

@@ -0,0 +1,6 @@
+Your two-factor authentication code was reused just now.
+
+It was rejected and whoever reused it was not able to log in.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>

data/test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb

@@ -0,0 +1,8 @@
+Two-factor authentication was set up on your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.