sorcery 0.13.0 → 0.14.0

data/spec/controllers/controller_oauth2_spec.rb

@@ -216,6 +216,7 @@ describe SorceryController, active_record: true, type: :controller do
           microsoft
           instagram
           auth0
+          line
         ]
       )
 
@@ -257,6 +258,9 @@ describe SorceryController, active_record: true, type: :controller do
       sorcery_controller_external_property_set(:auth0, :secret, 'XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8')
       sorcery_controller_external_property_set(:auth0, :callback_url, 'http://blabla.com')
       sorcery_controller_external_property_set(:auth0, :site, 'https://sorcery-test.auth0.com')
+      sorcery_controller_external_property_set(:line, :key, "eYVNBjBDi33aa9GkA3w")
+      sorcery_controller_external_property_set(:line, :secret, "XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8")
+      sorcery_controller_external_property_set(:line, :callback_url, "http://blabla.com")
     end
 
     after(:each) do
@@ -474,6 +478,7 @@ describe SorceryController, active_record: true, type: :controller do
         microsoft
         instagram
         auth0
+        line
       ]
     )
     sorcery_controller_external_property_set(:facebook, :key, 'eYVNBjBDi33aa9GkA3w')
@@ -513,6 +518,9 @@ describe SorceryController, active_record: true, type: :controller do
     sorcery_controller_external_property_set(:auth0, :secret, 'XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8')
     sorcery_controller_external_property_set(:auth0, :callback_url, 'http://blabla.com')
     sorcery_controller_external_property_set(:auth0, :site, 'https://sorcery-test.auth0.com')
+    sorcery_controller_external_property_set(:line, :key, "eYVNBjBDi33aa9GkA3w")
+    sorcery_controller_external_property_set(:line, :secret, "XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8")
+    sorcery_controller_external_property_set(:line, :callback_url, "http://blabla.com")
   end
 
   def provider_url(provider)

data/spec/rails_app/app/controllers/sorcery_controller.rb

@@ -142,6 +142,10 @@ class SorceryController < ActionController::Base
     login_at(:slack)
   end
 
+  def login_at_test_line
+    login_at(:line)
+  end
+
   def login_at_test_with_state
     login_at(:facebook, state: 'bla')
   end
@@ -268,6 +272,14 @@ class SorceryController < ActionController::Base
     end
   end
 
+  def test_login_from_line
+    if @user = login_from(:line)
+      redirect_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
   def test_return_to_with_external_twitter
     if (@user = login_from(:twitter))
       redirect_back_or_to 'bla', notice: 'Success!'
@@ -382,6 +394,14 @@ class SorceryController < ActionController::Base
     end
   end
 
+  def test_return_to_with_external_line
+    if @user = login_from(:line)
+      redirect_back_or_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
   def test_create_from_provider
     provider = params[:provider]
     login_from(provider)

data/spec/rails_app/config/routes.rb

@@ -32,6 +32,7 @@ AppRoot::Application.routes.draw do
     get :test_login_from_slack
     get :test_login_from_instagram
     get :test_login_from_auth0
+    get :test_login_from_line
     get :login_at_test
     get :login_at_test_twitter
     get :login_at_test_facebook
@@ -47,6 +48,7 @@ AppRoot::Application.routes.draw do
     get :login_at_test_slack
     get :login_at_test_instagram
     get :login_at_test_auth0
+    get :login_at_test_line
     get :test_return_to_with_external
     get :test_return_to_with_external_twitter
     get :test_return_to_with_external_facebook
@@ -62,6 +64,7 @@ AppRoot::Application.routes.draw do
     get :test_return_to_with_external_slack
     get :test_return_to_with_external_instagram
     get :test_return_to_with_external_auth0
+    get :test_return_to_with_external_line
     get :test_http_basic_auth
     get :some_action_making_a_non_persisted_change_to_the_user
     post :test_login_with_remember

data/spec/shared_examples/user_reset_password_shared_examples.rb

@@ -14,6 +14,8 @@ shared_examples_for 'rails_3_reset_password_model' do
     context 'API' do
       specify { expect(user).to respond_to :deliver_reset_password_instructions! }
 
+      specify { expect(user).to respond_to :change_password }
+
       specify { expect(user).to respond_to :change_password! }
 
       it 'responds to .load_from_reset_password_token' do
@@ -314,13 +316,27 @@ shared_examples_for 'rails_3_reset_password_model' do
       end
     end
 
-    it 'when change_password! is called, deletes reset_password_token' do
+    it 'when change_password! is called, deletes reset_password_token and calls #save!' do
       user.deliver_reset_password_instructions!
 
       expect(user.reset_password_token).not_to be_nil
+      expect(user).to_not receive(:save)
+      expect(user).to receive(:save!)
 
       user.change_password!('blabulsdf')
-      user.save!
+
+      expect(user.reset_password_token).to be_nil
+    end
+
+    it 'when change_password is called, deletes reset_password_token and calls #save' do
+      new_password = 'blabulsdf'
+
+      user.deliver_reset_password_instructions!
+      expect(user.reset_password_token).not_to be_nil
+      expect(user).to_not receive(:save!)
+      expect(user).to receive(:save)
+
+      user.change_password(new_password)
 
       expect(user.reset_password_token).to be_nil
     end

data/spec/shared_examples/user_shared_examples.rb

@@ -54,6 +54,13 @@ shared_examples_for 'rails_3_core_model' do
       expect(User.sorcery_config.custom_encryption_provider).to eq Array
     end
 
+    it "enables configuration option 'pepper'" do
+      pepper = '*$%&%*++'
+      sorcery_model_property_set(:pepper, pepper)
+
+      expect(User.sorcery_config.pepper).to eq pepper
+    end
+
     it "enables configuration option 'salt_join_token'" do
       salt_join_token = '--%%*&-'
       sorcery_model_property_set(:salt_join_token, salt_join_token)
@@ -459,6 +466,14 @@ shared_examples_for 'rails_3_core_model' do
       expect(User.encrypt(@text)).to eq Sorcery::CryptoProviders::SHA512.encrypt(@text)
     end
 
+    it 'if encryption algo is bcrypt it works' do
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # comparison is done using BCrypt::Password#==(raw_token), not by String#==
+      expect(User.encrypt(@text)).to be_an_instance_of BCrypt::Password
+      expect(User.encrypt(@text)).to eq @text
+    end
+
     it 'salt is random for each user and saved in db' do
       sorcery_model_property_set(:salt_attribute_name, :salt)
 
@@ -488,6 +503,54 @@ shared_examples_for 'rails_3_core_model' do
 
       expect(user.crypted_password).to eq Sorcery::CryptoProviders::SHA512.encrypt('secret', user.salt)
     end
+
+    it 'if pepper is set uses it to encrypt' do
+      sorcery_model_property_set(:salt_attribute_name, :salt)
+      sorcery_model_property_set(:pepper, '++@^$')
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # password comparison is done using BCrypt::Password#==(raw_token), not String#==
+      bcrypt_password = BCrypt::Password.new(user.crypted_password)
+      allow(::BCrypt::Password).to receive(:create) do |token, cost:|
+        # need to use common BCrypt's salt when genarating BCrypt::Password objects
+        # so that any generated password hashes can be compared each other
+        ::BCrypt::Engine.hash_secret(token, bcrypt_password.salt)
+      end
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret')
+
+      Sorcery::CryptoProviders::BCrypt.pepper = ''
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+
+      Sorcery::CryptoProviders::BCrypt.pepper = User.sorcery_config.pepper
+
+      expect(user.crypted_password).to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+    end
+
+    it 'if pepper is empty string (default) does not use pepper to encrypt' do
+      sorcery_model_property_set(:salt_attribute_name, :salt)
+      sorcery_model_property_set(:pepper, '')
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # password comparison is done using BCrypt::Password#==(raw_token), not String#==
+      bcrypt_password = BCrypt::Password.new(user.crypted_password)
+      allow(::BCrypt::Password).to receive(:create) do |token, cost:|
+        # need to use common BCrypt's salt when genarating BCrypt::Password objects
+        # so that any generated password hashes can be compared each other
+        ::BCrypt::Engine.hash_secret(token, bcrypt_password.salt)
+      end
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret')
+
+      Sorcery::CryptoProviders::BCrypt.pepper = 'some_pepper'
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+
+      Sorcery::CryptoProviders::BCrypt.pepper = User.sorcery_config.pepper
+
+      expect(user.crypted_password).to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+    end
   end
 
   describe 'ORM adapter' do

data/spec/sorcery_crypto_providers_spec.rb

@@ -148,6 +148,7 @@ describe 'Crypto Providers wrappers' do
     before(:all) do
       Sorcery::CryptoProviders::BCrypt.cost = 1
       @digest = BCrypt::Password.create('Noam Ben-Ari', cost: Sorcery::CryptoProviders::BCrypt.cost)
+      @tokens = %w[password gq18WBnJYNh2arkC1kgH]
     end
 
     after(:each) do
@@ -181,5 +182,64 @@ describe 'Crypto Providers wrappers' do
       # stubbed in Sorcery::TestHelpers::Internal
       expect(Sorcery::CryptoProviders::BCrypt.cost).to eq 1
     end
+
+    it 'matches token encrypted with salt from upstream' do
+      # note: actual comparison is done by BCrypt::Password#==(raw_token)
+      expect(Sorcery::CryptoProviders::BCrypt.encrypt(@tokens)).to eq @tokens.flatten.join
+    end
+
+    it 'respond_to?(:pepper) returns true' do
+      expect(Sorcery::CryptoProviders::BCrypt.respond_to?(:pepper)).to be true
+    end
+
+    context 'when pepper is provided' do
+      before(:each) do
+        Sorcery::CryptoProviders::BCrypt.pepper = 'pepper'
+        @digest = Sorcery::CryptoProviders::BCrypt.encrypt(@tokens) # a BCrypt::Password object
+      end
+
+      it 'matches token encrypted with salt and pepper from upstream' do
+        # note: actual comparison is done by BCrypt::Password#==(raw_token)
+        expect(@digest).to eq @tokens.flatten.join.concat('pepper')
+      end
+
+      it 'matches? returns true when matches' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be true
+      end
+
+      it 'matches? returns false when pepper is replaced with empty string' do
+        Sorcery::CryptoProviders::BCrypt.pepper = ''
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be false
+      end
+
+      it 'matches? returns false when no match' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, 'a_random_incorrect_password')).to be false
+      end
+    end
+
+    context "when pepper is an empty string (default)" do
+      before(:each) do
+        Sorcery::CryptoProviders::BCrypt.pepper = ''
+        @digest = Sorcery::CryptoProviders::BCrypt.encrypt(@tokens) # a BCrypt::Password object
+      end
+
+      # make sure the default pepper '' does nothing
+      it 'matches token encrypted with salt only (without pepper)' do
+        expect(@digest).to eq @tokens.flatten.join # keep consistency with the older versions of #join_token
+      end
+
+      it 'matches? returns true when matches' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be true
+      end
+
+      it 'matches? returns false when pepper has changed' do
+        Sorcery::CryptoProviders::BCrypt.pepper = 'a new pepper'
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be false
+      end
+
+      it 'matches? returns false when no match' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, 'a_random_incorrect_password')).to be false
+      end
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sorcery
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 0.14.0
 platform: ruby
 authors:
 - Noam Ben Ari
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-29 00:00:00.000000000 Z
+date: 2019-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -207,9 +207,6 @@ files:
 - LICENSE.md
 - README.md
 - Rakefile
-- gemfiles/active_record_rails_40.gemfile
-- gemfiles/active_record_rails_41.gemfile
-- gemfiles/active_record_rails_42.gemfile
 - lib/generators/sorcery/USAGE
 - lib/generators/sorcery/helpers.rb
 - lib/generators/sorcery/install_generator.rb
@@ -263,6 +260,7 @@ files:
 - lib/sorcery/providers/heroku.rb
 - lib/sorcery/providers/instagram.rb
 - lib/sorcery/providers/jira.rb
+- lib/sorcery/providers/line.rb
 - lib/sorcery/providers/linkedin.rb
 - lib/sorcery/providers/liveid.rb
 - lib/sorcery/providers/microsoft.rb

data/gemfiles/active_record_rails_40.gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '~> 4.0.1'
-gem 'sqlite3', platform: :mri
-
-gemspec path: '..'

data/gemfiles/active_record_rails_41.gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '~> 4.1.0'
-gem 'sqlite3', platform: :mri
-
-gemspec path: '..'

data/gemfiles/active_record_rails_42.gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '~> 4.2.0'
-gem 'sqlite3', platform: :mri
-
-gemspec path: '..'