RubyGems - quo_vadis - Versions diffs - 2.1.0 → 2.1.1 - Mend

quo_vadis 2.1.0 → 2.1.1

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f8acc907c43d19fcc6f9be59854be5e848add025d427f78ec608b2e24677e73
-  data.tar.gz: efab0ab6fc83535466f6bb6e31bb056016c5220ef227155629601e5c17aff5b6
+  metadata.gz: 455075dcaacc7b730c0834edec721467fd36aed73ab25d55980f2db6baa5226c
+  data.tar.gz: 463eafcb85b1da5a09ebf990d38729f9e4a52e60856e83350df1f57fccbdd439
 SHA512:
-  metadata.gz: 8d34c8922431d4234650c50718a29b71a328b070582bb5b7fac74d4b1e2b6847bc2b130a197d6dcc05d93d2c0dab882a90fecf9faa3e1620f36acb48b9be3778
-  data.tar.gz: 4f471b97ff2a2dc0461ddac1f68c1e9f263ac5c188ab89daf2974f3c8f2e85c5e2b586da72b8c798d5f696acf3a2a7079aef57fb689f8f75f8113a38d56b2c2d
+  metadata.gz: 3113487a82c77378bec401e4c721923d2de127a0ad790cb96e754e83794dc236e2a8042f33305114f1b85b021ad12d08f9724e1338c3f0f4c1e536853482e93b
+  data.tar.gz: 0c03c57428c0642fbd29d0b9ad150e01d72a3bd4ef5eab35243584b4621a6d35aaba218af90b13cb7ef8a66f0ded8c0f02a842899c2ef3561d7b0279f5864a23

data/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,20 @@
 # CHANGELOG
+## HEAD
+## 2.1.1 (8 July 2021)
+* Remove unnecessary route names.
+* Add user revocation.
+* Ensure password is only updated via #change or #reset.
+* Move views into gem's app/views/ directory.
 ## 2.1.0 (25 June 2021)
+* Do not require password on create.
 * Fix incorrect assignment of built association.
 * Add i18n translations for log actions.
 * Use model instance in change-password form.

data/README.md CHANGED Viewed

@@ -246,19 +246,19 @@ class UsersController < ApplicationController
 end
 ```
-QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
+QuoVadis will send the user an email with a link.  Write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/account_confirmation.text.erb)).  It must be in `app/views/quo_vadis/mailer/account_confirmation.{text,html}.erb` and output the `@url` variable.
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/index.html.erb)).  It must be in `app/views/quo_vadis/confirmations/index.html.:format`.
 On that page you can show the user the address the email was sent to, enable them to update their email address if they make a mistake on the sign-up form, and provide a button to resend another email directly.  If the sign-up occurred in a different browser session, you can instead link to `new_confirmation_path` where the user can request another email if need be.
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit.html.:format`.
-Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
+Next, write the page where the user can amend their email address if they made a mistake when signing up ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/edit_email.html.erb)).  It must be in `app/views/quo_vadis/confirmations/edit_email.html.:format`.
-Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
+Finally, write the page where people can put in their identifier (not their email, unless the identifier is email) again to request another confirmation email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/confirmations/new.html.erb)).  It must be in `app/views/quo_vadis/confirmations/new.html.:format`.
 After the user has confirmed their account, they will be logged in and redirected to the first of these that exists:
@@ -272,7 +272,7 @@ So add whichever works best for you.
 Use `before_action :require_password_authentication` or `before_action :require_authentication` in your controllers.
-Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+Write the login view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/new.html.erb)).  Your login form must be in `app/views/quo_vadis/sessions/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 If you include a `remember` checkbox in your login form:
@@ -312,22 +312,22 @@ In your views, have a link where users can manage their 2FA:
 link_to '2FA', quo_vadis.twofa_path
 ```
-Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
+Write the 2FA overview page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/twofas/show.html.erb)).  It must be in `app/views/quo_vadis/twofas/show.html.:format`.  This page allows the user to set up 2FA, deactivate or reset it, and generate new recovery codes.
-Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
+Next, write the TOTP setup page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/new.html.erb)).  It must be in `app/views/quo_vadis/totps/new.html.:format`.  This page shows the user a QR code (and the key as text) which they scan with their authenticator.
-Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
+Next, write the recovery codes page ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/index.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/index.html.:format`.  This shows the recovery codes immediately after TOTP is setup, and immediately after generating fresh recovery codes, but not otherwise.
-Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
+Next, write the TOTP challenge page where a user inputs their 6-digit TOTP ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/totps/challenge.html.erb)).  It must be in `app/views/quo_vadis/totps/challenge.html.:format`.  It's a good idea to link to the recovery code page (`challenge_recovery_codes_path`) for any user who has lost their authenticator.
-Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
+Finally, write the recovery code challenge page where a user inputs one of their recovery codes ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/recovery_codes/challenge.html.erb)).  It must be in `app/views/quo_vadis/recovery_codes/challenge.html.:format`.  A recovery code can only be used once, and using one deactivates TOTP – so the user will have to set it up again next time.
 ### Change password
 To change their password, the user must provide their current one as well as the new one.
-Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
+Write the change-password form ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/passwords/edit.html.erb)).  It must be in `app/views/quo_vadis/passwords/edit.html.:format`.
 After the password has been changed, the user is redirected to the first of:
@@ -347,17 +347,17 @@ The user can reset their password if they lose it.  The flow is:
 4. [Password-reset confirmation page] The user enters their new password and clicks a button.
 5. QuoVadis sets the user's password and logs them in.
-First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
+First, write the page where the user requests a password-reset ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/new.html.erb)).  It must be in `app/views/quo_vadis/password_resets/new.html.:format`.  Note it must capture the user's identifier (not email, unless the identifier is email).
 See the Configuration section below for how to set QuoVadis's emails' from addresses, headers, etc.
-Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
+Now write the page to where the user is redirected while they wait for the email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/index.html.erb)).  It must be in `app/views/quo_vadis/password_resets/index.html.:format`.
 It's a good idea for that page to link to `new_password_reset_path` where the user can request another email if need be.
-Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
+Now write the email view ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/reset_password.text.erb)).  It must be in `app/views/quo_vadis/mailer/reset_password.{text,html}.erb` and output the `@url` variable.
-Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
+Next, write the page to which the link in the email points ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/password_resets/edit.html.erb)).  It must be in `app/views/quo_vadis/password_resets/edit.html.:format`.
 After the user has reset their password, they will be logged in and redirected to the first of these that exists:
@@ -371,14 +371,14 @@ A logged-in session lasts for either the browser session or `QuoVadis.session_li
 A user can view their active sessions and log out of any of them.
-Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
+Write the view showing the sessions ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/sessions/index.html.erb)).  It must be in `app/views/quo_vadis/sessions/index.html.:format`.
 ### Audit trail
 An audit trail is kept of authentication events.  You can see the full list in the [`Log`](https://github.com/airblade/quo_vadis/blob/master/app/models/quo_vadis/log.rb) class.
-Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
+Write the view showing the events ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/logs/index.html.erb)).  It must be in `app/views/quo_vadis/logs/index.html.:format`.
 ### Notifications
@@ -387,18 +387,23 @@ QuoVadis notifies users by email whenever their authentication details are chang
 Write the corresponding mailer views:
-- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb))
-- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
-- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb))
-- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
-- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
-- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
-- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
-- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
+- change of email ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/email_change_notification.text.erb))
+- change of identifier (unless the identifier is email) ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/identifier_change_notification.text.erb))
+- change of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_change_notification.text.erb))
+- reset of password ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/password_reset_notification.text.erb))
+- TOTP setup ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_setup_notification.text.erb))
+- TOTP code used a second time ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb))
+- 2FA deactivated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb))
+- recovery codes generated ([example](https://github.com/airblade/quo_vadis/blob/master/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb))
 They must be in `app/views/quo_vadis/mailer/NAME.{text,html}.erb`.
+### Revocation
+You can revoke a user's access by calling `#revoke_authentication_credentials` on the model instance.  This deletes the user's password, TOTP credential, recovery codes, and active sessions.  Their authentication logs, or audit trail, are preserved.
 ## Configuration
 This is QuoVadis' [default configuration](https://github.com/airblade/quo_vadis/blob/master/lib/quo_vadis/defaults.rb):

data/app/controllers/quo_vadis/password_resets_controller.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module QuoVadis
       if account
         token = QuoVadis::PasswordResetToken.generate account
-        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+        QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.password_reset_url(token)
       end
       redirect_to password_resets_path, notice: QuoVadis.translate('flash.password_reset.create')

data/app/models/quo_vadis/account.rb CHANGED Viewed

@@ -35,6 +35,19 @@ module QuoVadis
       Array.new(MAX_NUMBER_OF_RECOVERY_CODES) { recovery_codes.create }.map &:code
     end
+    def revoke
+      password&.destroy
+      totp&.destroy
+      recovery_codes.destroy_all
+      sessions.destroy_all
+      Log.create(
+        account: self,
+        action: Log::REVOKE,
+        ip: (CurrentRequestDetails.ip || '')
+      )
+    end
     private
     def log_identifier_change

data/app/models/quo_vadis/log.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module QuoVadis
     ACCOUNT_CONFIRMATION   = 'account.confirmation'
     LOGOUT_OTHER           = 'logout.other'
     LOGOUT                 = 'logout.self'
+    REVOKE                 = 'revoke'
     ACTIONS = [
       LOGIN_SUCCESS,
@@ -41,7 +42,8 @@ module QuoVadis
       PASSWORD_RESET,
       ACCOUNT_CONFIRMATION,
       LOGOUT_OTHER,
-      LOGOUT
+      LOGOUT,
+      REVOKE
     ]
     belongs_to :account, optional: true  # optional only for LOGIN_UNKNOWN

data/app/models/quo_vadis/password.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module QuoVadis
     has_secure_password
     validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
+    validate :password_updated_legitimately, on: :update
     attr_accessor :new_password
@@ -48,5 +49,20 @@ module QuoVadis
       save
     end
+    private
+    def password_updated_legitimately
+      return unless password_digest_changed?
+      unless change_or_reset_called?
+        errors.add :password, 'must be updated via #change or #reset'
+      end
+    end
+    def change_or_reset_called?
+      caller_locations.any? { |loc|
+        ['change', 'reset'].include?(loc.label) && Pathname.new(loc.path).basename.to_s == 'password.rb'
+      }
+    end
   end
 end

data/{test/dummy/app → app}/views/quo_vadis/confirmations/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/edit_email.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/confirmations/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/logs/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/account_confirmation.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/email_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/identifier_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/password_change_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/password_reset_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/reset_password.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/totp_reuse_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/totp_setup_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/password_resets/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/passwords/edit.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/recovery_codes/challenge.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/recovery_codes/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/sessions/index.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/sessions/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/totps/challenge.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/totps/new.html.erb RENAMED Viewed

File without changes

data/{test/dummy/app → app}/views/quo_vadis/twofas/show.html.erb RENAMED Viewed

File without changes

data/config/locales/quo_vadis.en.yml CHANGED Viewed

@@ -74,6 +74,7 @@ en:
         logout:
           self: Logged out
           other: Logged out session remotely
+        revoke: Revoked access
   activerecord:
     errors:
       models:

data/config/routes.rb CHANGED Viewed

@@ -12,8 +12,8 @@ QuoVadis::Engine.routes.draw do
   resource  :password, only: [:edit, :update]
   resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update'
   resources :confirmations, only: [:new, :create, :index] do
     collection do
@@ -22,8 +22,8 @@ QuoVadis::Engine.routes.draw do
       post :resend
     end
   end
-  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
-  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
+  put '/confirm/:token', to: 'confirmations#update'
   resources :totps, only: [:new, :create] do
     collection do

data/lib/generators/quo_vadis/install_generator.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'app' / 'views' / 'quo_vadis'
     desc "Copy QuoVadis' views into your app."
     def copy_views

data/lib/quo_vadis/controller.rb CHANGED Viewed

@@ -87,7 +87,7 @@ module QuoVadis
     def request_confirmation(model)
       token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.confirmation_url(token)
       session[:account_pending_confirmation] = model.qv_account.id
       flash[:notice] = QuoVadis.translate 'flash.confirmation.create'

data/lib/quo_vadis/model.rb CHANGED Viewed

@@ -53,6 +53,10 @@ module QuoVadis
         (qv_account.password || qv_account.build_password).password_confirmation = val
       end
+      def revoke_authentication_credentials
+        qv_account.revoke
+      end
       private
       def qv_copy_password_errors

data/lib/quo_vadis/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module QuoVadis
-  VERSION = '2.1.0'
+  VERSION = '2.1.1'
 end

data/test/integration/logging_test.rb CHANGED Viewed

@@ -201,6 +201,15 @@ class LoggingTest < IntegrationTest
   end
+  test 'revoke' do
+    login_new_session
+    assert_log QuoVadis::Log::REVOKE do
+      QuoVadis::CurrentRequestDetails.ip = '127.0.0.1'  # fake out the IP assertion
+      @account.revoke
+    end
+  end
   private
   def assert_log(action, metadata = {}, account = @account, &block)

data/test/integration/password_reset_test.rb CHANGED Viewed

@@ -56,7 +56,7 @@ class PasswordResetTest < IntegrationTest
     put quo_vadis.password_reset_path(extract_token_from_email, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
     assert controller.logged_in?
-    get quo_vadis.edit_password_reset_url(extract_token_from_email)
+    get quo_vadis.password_reset_url(extract_token_from_email)
     assert_redirected_to quo_vadis.new_password_reset_path
     assert_equal 'Either the link has expired or you have already reset your password.', flash[:alert]
   end

data/test/models/account_test.rb CHANGED Viewed

@@ -31,4 +31,20 @@ class AccountTest < ActiveSupport::TestCase
     end
   end
+  test 'revoke' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = u.qv_account
+    account.create_totp last_used_at: 1.minute.ago
+    account.generate_recovery_codes
+    u.revoke_authentication_credentials
+    account.reload
+    assert_nil account.password
+    assert_nil account.totp
+    assert_empty account.recovery_codes
+    assert_empty account.sessions
+  end
 end

data/test/models/password_test.rb CHANGED Viewed

@@ -120,6 +120,19 @@ class PasswordTest < ActiveSupport::TestCase
   end
+  test 'passwords can only be updated via #change and #reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+    refute pw.update password: 'secretsecret'
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+    pw.password = VALID_PASSWORD
+    refute pw.save
+    assert_equal ["must be updated via #change or #reset"], pw.errors[:password]
+  end
   test 'cascade destroy' do
     user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
     assert user.qv_account.persisted?

data/test/models/token_test.rb CHANGED Viewed

@@ -52,7 +52,7 @@ class TokenTest < ActiveSupport::TestCase
   test 'password reset already done' do
     token = QuoVadis::PasswordResetToken.generate @account
-    @account.password.update password: 'secretsecret'
+    @account.password.reset 'secretsecret', 'secretsecret'
     assert_nil QuoVadis::PasswordResetToken.find_account(token)
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quo_vadis
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Andy Stewart
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-25 00:00:00.000000000 Z
+date: 2021-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -97,6 +97,32 @@ files:
 - app/models/quo_vadis/session.rb
 - app/models/quo_vadis/token.rb
 - app/models/quo_vadis/totp.rb
+- app/views/quo_vadis/confirmations/edit.html.erb
+- app/views/quo_vadis/confirmations/edit_email.html.erb
+- app/views/quo_vadis/confirmations/index.html.erb
+- app/views/quo_vadis/confirmations/new.html.erb
+- app/views/quo_vadis/logs/index.html.erb
+- app/views/quo_vadis/mailer/account_confirmation.text.erb
+- app/views/quo_vadis/mailer/email_change_notification.text.erb
+- app/views/quo_vadis/mailer/identifier_change_notification.text.erb
+- app/views/quo_vadis/mailer/password_change_notification.text.erb
+- app/views/quo_vadis/mailer/password_reset_notification.text.erb
+- app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb
+- app/views/quo_vadis/mailer/reset_password.text.erb
+- app/views/quo_vadis/mailer/totp_reuse_notification.text.erb
+- app/views/quo_vadis/mailer/totp_setup_notification.text.erb
+- app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
+- app/views/quo_vadis/password_resets/edit.html.erb
+- app/views/quo_vadis/password_resets/index.html.erb
+- app/views/quo_vadis/password_resets/new.html.erb
+- app/views/quo_vadis/passwords/edit.html.erb
+- app/views/quo_vadis/recovery_codes/challenge.html.erb
+- app/views/quo_vadis/recovery_codes/index.html.erb
+- app/views/quo_vadis/sessions/index.html.erb
+- app/views/quo_vadis/sessions/new.html.erb
+- app/views/quo_vadis/totps/challenge.html.erb
+- app/views/quo_vadis/totps/new.html.erb
+- app/views/quo_vadis/twofas/show.html.erb
 - bin/console
 - bin/rails
 - bin/setup
@@ -131,32 +157,6 @@ files:
 - test/dummy/app/views/articles/secret.html.erb
 - test/dummy/app/views/articles/very_secret.html.erb
 - test/dummy/app/views/layouts/application.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/edit.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/edit_email.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/index.html.erb
-- test/dummy/app/views/quo_vadis/confirmations/new.html.erb
-- test/dummy/app/views/quo_vadis/logs/index.html.erb
-- test/dummy/app/views/quo_vadis/mailer/account_confirmation.text.erb
-- test/dummy/app/views/quo_vadis/mailer/email_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/identifier_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/password_change_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/password_reset_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/reset_password.text.erb
-- test/dummy/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/totp_setup_notification.text.erb
-- test/dummy/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb
-- test/dummy/app/views/quo_vadis/password_resets/edit.html.erb
-- test/dummy/app/views/quo_vadis/password_resets/index.html.erb
-- test/dummy/app/views/quo_vadis/password_resets/new.html.erb
-- test/dummy/app/views/quo_vadis/passwords/edit.html.erb
-- test/dummy/app/views/quo_vadis/recovery_codes/challenge.html.erb
-- test/dummy/app/views/quo_vadis/recovery_codes/index.html.erb
-- test/dummy/app/views/quo_vadis/sessions/index.html.erb
-- test/dummy/app/views/quo_vadis/sessions/new.html.erb
-- test/dummy/app/views/quo_vadis/totps/challenge.html.erb
-- test/dummy/app/views/quo_vadis/totps/new.html.erb
-- test/dummy/app/views/quo_vadis/twofas/show.html.erb
 - test/dummy/app/views/sign_ups/new.html.erb
 - test/dummy/app/views/sign_ups/show.html.erb
 - test/dummy/app/views/users/new.html.erb
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Multifactor authentication for Rails 6.