diff --git a/Gemfile b/Gemfile index ff0ded14e..e61e92e25 100644 --- a/Gemfile +++ b/Gemfile @@ -23,6 +23,7 @@ gem 'turbolinks' gem 'sprockets', '~> 3.6.3' gem 'devise', '~> 3.5.7' +gem 'devise_security_extension' # Use ActiveModel has_secure_password # gem 'bcrypt', '~> 3.1.7' gem 'omniauth' diff --git a/Gemfile.lock b/Gemfile.lock index 8ca495b1b..68570d756 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -138,6 +138,9 @@ GEM warden (~> 1.2.3) devise-async (0.10.2) devise (>= 3.2, < 4.0) + devise_security_extension (0.10.0) + devise (>= 3.0.0, < 4.0) + railties (>= 3.2.6, < 5.0) diff-lcs (1.2.5) docile (1.1.5) easy_translate (0.5.0) @@ -460,6 +463,7 @@ DEPENDENCIES delayed_job_active_record (~> 4.1.0) devise (~> 3.5.7) devise-async + devise_security_extension email_spec factory_girl_rails faker diff --git a/app/models/user.rb b/app/models/user.rb index 60bc2364a..916c3d0b9 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -2,8 +2,8 @@ class User < ActiveRecord::Base include Verification - devise :database_authenticatable, :registerable, :confirmable, - :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :async + devise :database_authenticatable, :registerable, :confirmable, :recoverable, :rememberable, + :trackable, :validatable, :omniauthable, :async, :password_expirable, :secure_validatable acts_as_voter acts_as_paranoid column: :hidden_at diff --git a/app/views/devise/password_expired/show.html.erb b/app/views/devise/password_expired/show.html.erb new file mode 100644 index 000000000..33dc82f71 --- /dev/null +++ b/app/views/devise/password_expired/show.html.erb @@ -0,0 +1,13 @@ +

<%= t("devise.password_expired.expire_password") %>

+ +<%= form_for(resource, :as => resource_name, :url => [resource_name, :password_expired], :html => { :method => :put }) do |f| %> + + <%= f.password_field :current_password %>

+ + <%= f.label t("devise.password_expired.new_password") %> + <%= f.password_field :password, label: false %>

+ + <%= f.password_field :password_confirmation %>

+ +

<%= f.submit t("devise.password_expired.change_password") %>

+<% end %> \ No newline at end of file diff --git a/config/i18n-tasks.yml b/config/i18n-tasks.yml index 250ed18f9..9cf9f8137 100644 --- a/config/i18n-tasks.yml +++ b/config/i18n-tasks.yml @@ -101,6 +101,7 @@ ignore_missing: - 'errors.messages.taken' - 'devise.failure.invalid' - 'devise.registrations.destroyed' + - 'devise.password_expired.*' ## Consider these keys used: ignore_unused: diff --git a/config/initializers/devise_security_extension.rb b/config/initializers/devise_security_extension.rb new file mode 100644 index 000000000..6e691acbe --- /dev/null +++ b/config/initializers/devise_security_extension.rb @@ -0,0 +1,71 @@ +Devise.setup do |config| + # ==> Security Extension + # Configure security extension for devise + + # Should the password expire (e.g 3.months) + # config.expire_password_after = false + config.expire_password_after = 1.year + + # Need 1 char of A-Z, a-z and 0-9 + # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/ + + # How many passwords to keep in archive + #config.password_archiving_count = 5 + + # Deny old password (true, false, count) + # config.deny_old_passwords = true + + # enable email validation for :secure_validatable. (true, false, validation_options) + # dependency: need an email validator like rails_email_validator + # config.email_validation = true + # captcha integration for recover form + # config.captcha_for_recover = true + + # captcha integration for sign up form + # config.captcha_for_sign_up = true + + # captcha integration for sign in form + # config.captcha_for_sign_in = true + + # captcha integration for unlock form + # config.captcha_for_unlock = true + + # captcha integration for confirmation form + # config.captcha_for_confirmation = true + + # Time period for account expiry from last_activity_at + # config.expire_after = 90.days +end + +module Devise + module Models + module PasswordExpirable + def need_change_password? + self.administrator? && password_expired? + end + + def password_expired? + self.password_changed_at < self.expire_password_after.ago + end + end + + module SecureValidatable + def self.included(base) + base.extend ClassMethods + assert_secure_validations_api!(base) + base.class_eval do + validate :current_equal_password_validation + end + end + + def current_equal_password_validation + if !self.new_record? && !self.encrypted_password_change.nil? && !self.erased? + dummy = self.class.new + dummy.encrypted_password = self.encrypted_password_change.first + dummy.password_salt = self.password_salt_change.first if self.respond_to? :password_salt_change and not self.password_salt_change.nil? + self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(self.password) + end + end + end + end +end \ No newline at end of file diff --git a/config/locales/activerecord.en.yml b/config/locales/activerecord.en.yml index 07791e53c..7de5b340e 100644 --- a/config/locales/activerecord.en.yml +++ b/config/locales/activerecord.en.yml @@ -54,6 +54,7 @@ en: username: "Username" password_confirmation: "Password confirmation" password: "Password" + current_password: "Current password" phone_number: "Phone number" official_position: "Official position" official_level: "Official level" diff --git a/config/locales/activerecord.es.yml b/config/locales/activerecord.es.yml index d5b7f0005..4dae4cb56 100644 --- a/config/locales/activerecord.es.yml +++ b/config/locales/activerecord.es.yml @@ -54,6 +54,7 @@ es: username: "Nombre de usuario" password_confirmation: "Confirmación de contraseña" password: "Contraseña" + current_password: "Contraseña actual" phone_number: "Teléfono" official_position: "Cargo público" official_level: "Nivel del cargo" diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml index 30fb488ce..29bc0a620 100755 --- a/config/locales/devise.en.yml +++ b/config/locales/devise.en.yml @@ -2,6 +2,12 @@ en: devise: + password_expired: + expire_password: "Password expired" + change_required: "Your password is expired" + change_password: "Change your password" + new_password: "New password" + updated: "Password successfully updated" confirmations: confirmed: "Your account has been confirmed." send_instructions: "In a few minutes you will receive an email containing instructions on how to reset your password." @@ -62,3 +68,4 @@ en: not_saved: one: "1 error prevented this %{resource} from being saved:" other: "%{count} errors prevented this %{resource} from being saved:" + equal_to_current_password: "must be different than the current password." diff --git a/config/locales/devise.es.yml b/config/locales/devise.es.yml index 1a9c3a3b8..6ede31f7d 100644 --- a/config/locales/devise.es.yml +++ b/config/locales/devise.es.yml @@ -1,5 +1,11 @@ es: devise: + password_expired: + expire_password: "Contraseña caducada" + change_required: "Tu contraseña ha caducado" + change_password: "Cambia tu contraseña" + new_password: "Nueva contraseña" + updated: "Contraseña actualizada con éxito" confirmations: confirmed: "Tu cuenta ha sido confirmada. Por favor autentifícate con tu red social o tu usuario y contraseña" send_instructions: "Recibirás un correo electrónico en unos minutos con instrucciones sobre cómo restablecer tu contraseña." @@ -60,3 +66,4 @@ es: not_saved: one: "1 error impidió que este %{resource} fuera guardado:" other: "%{count} errores impidieron que este %{resource} fuera guardado:" + equal_to_current_password: "debe ser diferente a la contraseña actual" diff --git a/db/migrate/20160901104320_add_password_expired.rb b/db/migrate/20160901104320_add_password_expired.rb new file mode 100644 index 000000000..aa759dd61 --- /dev/null +++ b/db/migrate/20160901104320_add_password_expired.rb @@ -0,0 +1,6 @@ +class AddPasswordExpired < ActiveRecord::Migration + def change + add_column :users, :password_changed_at, :datetime + add_index :users, :password_changed_at + end +end diff --git a/db/schema.rb b/db/schema.rb index becde4f8a..339ce7675 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20160803154011) do +ActiveRecord::Schema.define(version: 20160901104320) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -464,12 +464,14 @@ ActiveRecord::Schema.define(version: 20160803154011) do t.boolean "email_digest", default: true t.boolean "email_on_direct_message", default: true t.boolean "official_position_badge", default: false + t.datetime "password_changed_at" end add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree add_index "users", ["geozone_id"], name: "index_users_on_geozone_id", using: :btree add_index "users", ["hidden_at"], name: "index_users_on_hidden_at", using: :btree + add_index "users", ["password_changed_at"], name: "index_users_on_password_changed_at", using: :btree add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree add_index "users", ["username"], name: "index_users_on_username", using: :btree diff --git a/lib/tasks/users.rake b/lib/tasks/users.rake index efbeeaa94..ccb749f9a 100644 --- a/lib/tasks/users.rake +++ b/lib/tasks/users.rake @@ -76,4 +76,12 @@ namespace :users do task remove_erased_identities: :environment do Identity.joins(:user).where('users.erased_at IS NOT NULL').destroy_all end + + desc "Update password changed at for existing users" + task update_password_changed_at: :environment do + User.all.each do |user| + user.update(password_changed_at: user.created_at) + end + end + end diff --git a/spec/features/users_auth_spec.rb b/spec/features/users_auth_spec.rb index 9e1e67ef9..5b3c157d7 100644 --- a/spec/features/users_auth_spec.rb +++ b/spec/features/users_auth_spec.rb @@ -285,4 +285,59 @@ feature 'Users' do expect(page).to have_content "Your password has been changed successfully." end + + scenario 'Sign in, admin with password expired' do + user = create(:user, password_changed_at: Time.now - 1.year) + admin = create(:administrator, user: user) + + login_as(admin.user) + visit root_path + + expect(page).to have_content "Your password is expired" + + fill_in 'user_current_password', with: 'judgmentday' + fill_in 'user_password', with: '123456789' + fill_in 'user_password_confirmation', with: '123456789' + + click_button 'Change your password' + + expect(page).to have_content "Password successfully updated" + end + + scenario 'Sign in, admin without password expired' do + user = create(:user, password_changed_at: Time.now - 360.days) + admin = create(:administrator, user: user) + + login_as(admin.user) + visit root_path + + expect(page).to_not have_content "Your password is expired" + end + + scenario 'Sign in, user with password expired' do + user = create(:user, password_changed_at: Time.now - 1.year) + + login_as(user) + visit root_path + + expect(page).to_not have_content "Your password is expired" + end + + scenario 'Admin with password expired trying to use same password' do + user = create(:user, password_changed_at: Time.now - 1.year, password: '123456789') + admin = create(:administrator, user: user) + + login_as(admin.user) + visit root_path + + expect(page).to have_content "Your password is expired" + + fill_in 'user_current_password', with: 'judgmentday' + fill_in 'user_password', with: '123456789' + fill_in 'user_password_confirmation', with: '123456789' + click_button 'Change your password' + + expect(page).to have_content "must be different than the current password." + end + end