RubyGems - sorcery - Versions diffs - 0.13.0 → 0.14.0 - Mend

sorcery 0.13.0 → 0.14.0

Potentially problematic release.

This version of sorcery might be problematic. Click here for more details.

Files changed (39) hide show

checksums.yaml +4 -4
data/.travis.yml +0 -26
data/CHANGELOG.md +13 -0
data/Gemfile +1 -1
data/README.md +2 -1
data/lib/generators/sorcery/templates/initializer.rb +85 -85
data/lib/generators/sorcery/templates/migration/activity_logging.rb +4 -4
data/lib/generators/sorcery/templates/migration/brute_force_protection.rb +3 -3
data/lib/generators/sorcery/templates/migration/core.rb +2 -2
data/lib/generators/sorcery/templates/migration/external.rb +3 -3
data/lib/generators/sorcery/templates/migration/magic_login.rb +3 -3
data/lib/generators/sorcery/templates/migration/remember_me.rb +2 -2
data/lib/generators/sorcery/templates/migration/reset_password.rb +4 -4
data/lib/generators/sorcery/templates/migration/user_activation.rb +3 -3
data/lib/sorcery/controller/submodules/activity_logging.rb +10 -3
data/lib/sorcery/controller/submodules/brute_force_protection.rb +7 -3
data/lib/sorcery/controller/submodules/external.rb +1 -0
data/lib/sorcery/controller/submodules/http_basic_auth.rb +4 -1
data/lib/sorcery/controller/submodules/remember_me.rb +7 -2
data/lib/sorcery/controller/submodules/session_timeout.rb +7 -2
data/lib/sorcery/crypto_providers/aes256.rb +1 -1
data/lib/sorcery/crypto_providers/bcrypt.rb +6 -1
data/lib/sorcery/model.rb +1 -0
data/lib/sorcery/model/config.rb +5 -0
data/lib/sorcery/model/submodules/magic_login.rb +7 -4
data/lib/sorcery/model/submodules/reset_password.rb +6 -2
data/lib/sorcery/providers/line.rb +47 -0
data/lib/sorcery/providers/linkedin.rb +20 -36
data/lib/sorcery/version.rb +1 -1
data/spec/controllers/controller_oauth2_spec.rb +8 -0
data/spec/rails_app/app/controllers/sorcery_controller.rb +20 -0
data/spec/rails_app/config/routes.rb +3 -0
data/spec/shared_examples/user_reset_password_shared_examples.rb +18 -2
data/spec/shared_examples/user_shared_examples.rb +63 -0
data/spec/sorcery_crypto_providers_spec.rb +60 -0
metadata +3 -5
data/gemfiles/active_record_rails_40.gemfile +0 -6
data/gemfiles/active_record_rails_41.gemfile +0 -6
data/gemfiles/active_record_rails_42.gemfile +0 -6

data/lib/generators/sorcery/templates/migration/activity_logging.rb CHANGED Viewed

@@ -1,9 +1,9 @@
 class SorceryActivityLogging < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :last_login_at,     :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_logout_at,    :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_activity_at,  :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_login_from_ip_address, :string, :default => nil
+    add_column :<%= model_class_name.tableize %>, :last_login_at,     :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :last_logout_at,    :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :last_activity_at,  :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :last_login_from_ip_address, :string, default: nil
     add_index :<%= model_class_name.tableize %>, [:last_logout_at, :last_activity_at]
   end

data/lib/generators/sorcery/templates/migration/brute_force_protection.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 class SorceryBruteForceProtection < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :failed_logins_count, :integer, :default => 0
-    add_column :<%= model_class_name.tableize %>, :lock_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :unlock_token, :string, :default => nil
+    add_column :<%= model_class_name.tableize %>, :failed_logins_count, :integer, default: 0
+    add_column :<%= model_class_name.tableize %>, :lock_expires_at, :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :unlock_token, :string, default: nil
     add_index :<%= model_class_name.tableize %>, :unlock_token
   end

data/lib/generators/sorcery/templates/migration/core.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 class SorceryCore < <%= migration_class_name %>
   def change
     create_table :<%= model_class_name.tableize %> do |t|
-      t.string :email,            :null => false
+      t.string :email,            null: false
       t.string :crypted_password
       t.string :salt
-      t.timestamps                :null => false
+      t.timestamps                null: false
     end
     add_index :<%= model_class_name.tableize %>, :email, unique: true

data/lib/generators/sorcery/templates/migration/external.rb CHANGED Viewed

@@ -1,10 +1,10 @@
 class SorceryExternal < <%= migration_class_name %>
   def change
     create_table :authentications do |t|
-      t.integer :<%= model_class_name.tableize.singularize %>_id, :null => false
-      t.string :provider, :uid, :null => false
+      t.integer :<%= model_class_name.tableize.singularize %>_id, null: false
+      t.string :provider, :uid, null: false
-      t.timestamps              :null => false
+      t.timestamps              null: false
     end
     add_index :authentications, [:provider, :uid]

data/lib/generators/sorcery/templates/migration/magic_login.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 class SorceryMagicLogin < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :magic_login_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :magic_login_token_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :magic_login_email_sent_at, :datetime, :default => nil
+    add_column :<%= model_class_name.tableize %>, :magic_login_token, :string, default: nil
+    add_column :<%= model_class_name.tableize %>, :magic_login_token_expires_at, :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :magic_login_email_sent_at, :datetime, default: nil
     add_index :<%= model_class_name.tableize %>, :magic_login_token
   end

data/lib/generators/sorcery/templates/migration/remember_me.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 class SorceryRememberMe < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :remember_me_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :remember_me_token_expires_at, :datetime, :default => nil
+    add_column :<%= model_class_name.tableize %>, :remember_me_token, :string, default: nil
+    add_column :<%= model_class_name.tableize %>, :remember_me_token_expires_at, :datetime, default: nil
     add_index :<%= model_class_name.tableize %>, :remember_me_token
   end

data/lib/generators/sorcery/templates/migration/reset_password.rb CHANGED Viewed

@@ -1,9 +1,9 @@
 class SorceryResetPassword < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :reset_password_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :reset_password_token_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :reset_password_email_sent_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :access_count_to_reset_password_page, :integer, :default => 0
+    add_column :<%= model_class_name.tableize %>, :reset_password_token, :string, default: nil
+    add_column :<%= model_class_name.tableize %>, :reset_password_token_expires_at, :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :reset_password_email_sent_at, :datetime, default: nil
+    add_column :<%= model_class_name.tableize %>, :access_count_to_reset_password_page, :integer, default: 0
     add_index :<%= model_class_name.tableize %>, :reset_password_token
   end

data/lib/generators/sorcery/templates/migration/user_activation.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 class SorceryUserActivation < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :activation_state, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :activation_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :activation_token_expires_at, :datetime, :default => nil
+    add_column :<%= model_class_name.tableize %>, :activation_state, :string, default: nil
+    add_column :<%= model_class_name.tableize %>, :activation_token, :string, default: nil
+    add_column :<%= model_class_name.tableize %>, :activation_token_expires_at, :datetime, default: nil
     add_index :<%= model_class_name.tableize %>, :activation_token
   end

data/lib/sorcery/controller/submodules/activity_logging.rb CHANGED Viewed

@@ -30,9 +30,16 @@ module Sorcery
             end
             merge_activity_logging_defaults!
           end
-          Config.after_login    << :register_login_time_to_db
-          Config.after_login    << :register_last_ip_address
-          Config.before_logout  << :register_logout_time_to_db
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.after_login.include?(:register_login_time_to_db)
+            Config.after_login << :register_login_time_to_db
+          end
+          unless Config.after_login.include?(:register_last_ip_address)
+            Config.after_login << :register_last_ip_address
+          end
+          unless Config.before_logout.include?(:register_logout_time_to_db)
+            Config.before_logout << :register_logout_time_to_db
+          end
           base.after_action :register_last_activity_time_to_db
         end

data/lib/sorcery/controller/submodules/brute_force_protection.rb CHANGED Viewed

@@ -10,9 +10,13 @@ module Sorcery
       module BruteForceProtection
         def self.included(base)
           base.send(:include, InstanceMethods)
-          Config.after_login << :reset_failed_logins_count!
-          Config.after_failed_login << :update_failed_logins_count!
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.after_login.include?(:reset_failed_logins_count!)
+            Config.after_login << :reset_failed_logins_count!
+          end
+          unless Config.after_failed_login.include?(:update_failed_logins_count!)
+            Config.after_failed_login << :update_failed_logins_count!
+          end
         end
         module InstanceMethods

data/lib/sorcery/controller/submodules/external.rb CHANGED Viewed

@@ -25,6 +25,7 @@ module Sorcery
           require 'sorcery/providers/microsoft'
           require 'sorcery/providers/instagram'
           require 'sorcery/providers/auth0'
+          require 'sorcery/providers/line'
           Config.module_eval do
             class << self

data/lib/sorcery/controller/submodules/http_basic_auth.rb CHANGED Viewed

@@ -19,7 +19,10 @@ module Sorcery
             end
             merge_http_basic_auth_defaults!
           end
-          Config.login_sources << :login_from_basic_auth
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.login_sources.include?(:login_from_basic_auth)
+            Config.login_sources << :login_from_basic_auth
+          end
         end
         module InstanceMethods

data/lib/sorcery/controller/submodules/remember_me.rb CHANGED Viewed

@@ -17,8 +17,13 @@ module Sorcery
             end
             merge_remember_me_defaults!
           end
-          Config.login_sources << :login_from_cookie
-          Config.before_logout << :forget_me!
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.login_sources.include?(:login_from_cookie)
+            Config.login_sources << :login_from_cookie
+          end
+          unless Config.before_logout.include?(:forget_me!)
+            Config.before_logout << :forget_me!
+          end
         end
         module InstanceMethods

data/lib/sorcery/controller/submodules/session_timeout.rb CHANGED Viewed

@@ -23,8 +23,13 @@ module Sorcery
             end
             merge_session_timeout_defaults!
           end
-          Config.after_login << :register_login_time
-          Config.after_remember_me << :register_login_time
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.after_login.include?(:register_login_time)
+            Config.after_login << :register_login_time
+          end
+          unless Config.after_remember_me.include?(:register_login_time)
+            Config.after_remember_me << :register_login_time
+          end
           base.prepend_before_action :validate_session
         end

data/lib/sorcery/crypto_providers/aes256.rb CHANGED Viewed

@@ -29,7 +29,7 @@ module Sorcery
         def matches?(crypted, *tokens)
           decrypt(crypted) == tokens.join
-        rescue OpenSSL::CipherError
+        rescue OpenSSL::Cipher::CipherError
           false
         end

data/lib/sorcery/crypto_providers/bcrypt.rb CHANGED Viewed

@@ -40,6 +40,10 @@ module Sorcery
     # You are good to go!
     class BCrypt
       class << self
+        # Setting the option :pepper allows users to append an app-specific secret token.
+        # Basically it's equivalent to :salt_join_token option, but have a different name to ensure
+        # backward compatibility in generating/matching passwords.
+        attr_accessor :pepper
         # This is the :cost option for the BCrpyt library.
         # The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
         # Set this to whatever you want, play around with it to get that perfect balance between
@@ -77,12 +81,13 @@ module Sorcery
         def reset!
           @cost = 10
+          @pepper = ''
         end
         private
         def join_tokens(tokens)
-          tokens.flatten.join
+          tokens.flatten.join.concat(pepper.to_s) # make sure to add pepper in case tokens have only one element
         end
         def new_from_hash(hash)

data/lib/sorcery/model.rb CHANGED Viewed

@@ -142,6 +142,7 @@ module Sorcery
       def set_encryption_attributes
         @sorcery_config.encryption_provider.stretches = @sorcery_config.stretches if @sorcery_config.encryption_provider.respond_to?(:stretches) && @sorcery_config.stretches
         @sorcery_config.encryption_provider.join_token = @sorcery_config.salt_join_token if @sorcery_config.encryption_provider.respond_to?(:join_token) && @sorcery_config.salt_join_token
+        @sorcery_config.encryption_provider.pepper = @sorcery_config.pepper if @sorcery_config.encryption_provider.respond_to?(:pepper) && @sorcery_config.pepper
       end
       def add_config_inheritance

data/lib/sorcery/model/config.rb CHANGED Viewed

@@ -12,7 +12,11 @@ module Sorcery
       attr_accessor :downcase_username_before_authenticating
       # change default crypted_password attribute.
       attr_accessor :crypted_password_attribute_name
+      # application-specific secret token that is joined with the password and its salt.
+      # Currently available with BCrypt (default crypt provider) only.
+      attr_accessor :pepper
       # what pattern to use to join the password with the salt
+      # APPLICABLE TO MD5, SHA1, SHA256, SHA512. Other crypt providers (incl. BCrypt) ignore this parameter.
       attr_accessor :salt_join_token
       # change default salt attribute.
       attr_accessor :salt_attribute_name
@@ -57,6 +61,7 @@ module Sorcery
           :@encryption_provider                  => CryptoProviders::BCrypt,
           :@custom_encryption_provider           => nil,
           :@encryption_key                       => nil,
+          :@pepper                               => '',
           :@salt_join_token                      => '',
           :@salt_attribute_name                  => :salt,
           :@stretches                            => nil,

data/lib/sorcery/model/submodules/magic_login.rb CHANGED Viewed

@@ -52,10 +52,13 @@ module Sorcery
         module ClassMethods
           # Find user by token, also checks for expiration.
           # Returns the user if token found and is valid.
-          def load_from_magic_login_token(token)
-            token_attr_name = @sorcery_config.magic_login_token_attribute_name
-            token_expiration_date_attr = @sorcery_config.magic_login_token_expires_at_attribute_name
-            load_from_token(token, token_attr_name, token_expiration_date_attr)
+          def load_from_magic_login_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.magic_login_token_attribute_name,
+              @sorcery_config.magic_login_token_expires_at_attribute_name,
+              &block
+            )
           end
           protected

data/lib/sorcery/model/submodules/reset_password.rb CHANGED Viewed

@@ -124,10 +124,14 @@ module Sorcery
           end
           # Clears token and tries to update the new password for the user.
-          def change_password!(new_password)
+          def change_password(new_password, raise_on_failure: false)
             clear_reset_password_token
             send(:"#{sorcery_config.password_attribute_name}=", new_password)
-            sorcery_adapter.save raise_on_failure: true
+            sorcery_adapter.save raise_on_failure: raise_on_failure
+          end
+          def change_password!(new_password)
+            change_password(new_password, raise_on_failure: true)
           end
           protected

data/lib/sorcery/providers/line.rb ADDED Viewed

@@ -0,0 +1,47 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with line.com.
+    #
+    #   config.line.key = <key>
+    #   config.line.secret = <secret>
+    #   ...
+    #
+    class Line < Base
+      include Protocols::Oauth2
+      attr_accessor :token_url, :user_info_path, :auth_path
+      def initialize
+        super
+        @site           = 'https://access.line.me'
+        @user_info_path = 'https://api.line.me/v2/profile'
+        @token_url      = 'https://api.line.me/v2/oauth/accessToken'
+        @auth_path      = 'dialog/oauth/weblogin'
+      end
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = JSON.parse(response.body)
+          h[:uid] = h[:user_info]['userId'].to_s
+        end
+      end
+      # calculates and returns the url to which the user should be redirected,
+      # to get authenticated at the external provider's site.
+      def login_url(_params, _session)
+        @state = SecureRandom.hex(16)
+        authorize_url(authorize_url: auth_path)
+      end
+      # tries to login the user from access token
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
+        get_access_token(args, token_url: token_url, token_method: :post)
+      end
+    end
+  end
+end

data/lib/sorcery/providers/linkedin.rb CHANGED Viewed

@@ -1,65 +1,49 @@
 module Sorcery
   module Providers
-    # This class adds support for OAuth with Linkedin.com.
+    # This class adds support for OAuth with LinkedIn.
     #
     #   config.linkedin.key = <key>
     #   config.linkedin.secret = <secret>
     #   ...
     #
     class Linkedin < Base
-      include Protocols::Oauth
+      include Protocols::Oauth2
-      attr_accessor :authorize_path, :access_permissions, :access_token_path,
-                    :request_token_path, :user_info_fields, :user_info_path
+      attr_accessor :auth_url, :scope, :token_url, :user_info_url
       def initialize
-        @configuration = {
-          site: 'https://api.linkedin.com',
-          authorize_path: '/uas/oauth/authenticate',
-          request_token_path: '/uas/oauth/requestToken',
-          access_token_path: '/uas/oauth/accessToken'
-        }
-        @user_info_path = '/v1/people/~'
-      end
-      # Override included get_consumer method to provide authorize_path
-      def get_consumer
-        # Add access permissions to request token path
-        @configuration[:request_token_path] += '?scope=' + access_permissions.join('+') unless access_permissions.blank? || @configuration[:request_token_path].include?('?scope=')
-        ::OAuth::Consumer.new(@key, @secret, @configuration)
+        super
+        @site          = 'https://api.linkedin.com'
+        @auth_url      = '/oauth/v2/authorization'
+        @token_url     = '/oauth/v2/accessToken'
+        @user_info_url = 'https://api.linkedin.com/v2/me'
+        @scope         = 'r_liteprofile'
+        @state         = SecureRandom.hex(16)
       end
       def get_user_hash(access_token)
-        # Always include id for provider uid and prevent accidental duplication via setting `user_info_field = ['id']` (needed in Sorcery 0.9.1)
-        info_fields = user_info_fields ? user_info_fields.reject { |n| n == 'id' } : []
-        fields = info_fields.any? ? 'id,' + info_fields.join(',') : 'id'
-        response = access_token.get("#{@user_info_path}:(#{fields})", 'x-li-format' => 'json')
+        response = access_token.get(user_info_url)
         auth_hash(access_token).tap do |h|
           h[:user_info] = JSON.parse(response.body)
-          h[:uid] = h[:user_info]['id'].to_s
+          h[:uid] = h[:user_info]['id']
         end
       end
       # calculates and returns the url to which the user should be redirected,
       # to get authenticated at the external provider's site.
-      def login_url(_params, session)
-        req_token = get_request_token
-        session[:request_token]         = req_token.token
-        session[:request_token_secret]  = req_token.secret
-        authorize_url(request_token: req_token.token, request_token_secret: req_token.secret)
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_url)
       end
       # tries to login the user from access token
-      def process_callback(params, session)
-        args = {
-          oauth_verifier:       params[:oauth_verifier],
-          request_token:        session[:request_token],
-          request_token_secret: session[:request_token_secret]
-        }
+      def process_callback(params, _session)
+        args = {}.tap do |a|
+          a[:code] = params[:code] if params[:code]
+        end
-        args[:code] = params[:code] if params[:code]
-        get_access_token(args)
+        get_access_token(args, token_url: token_url, token_method: :post)
       end
     end
   end

data/lib/sorcery/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Sorcery
-  VERSION = '0.13.0'.freeze
+  VERSION = '0.14.0'.freeze
 end