Bump devise-security from 0.10.1 to 0.11.1

The original devise_security_extension gem has not been maintained for years. Its last release was version 0.10.0, and wasn't compatible with Rails 5, and so we were using its master branch. Since the gem was unmaintained, it was forked as devise-security and the aforementioned master branch was released as version 0.10.1. This version wasn't published in Rubygems, though, so we're now using the first version that was published in Rubygems and had a release announment [1]. Dependabot will probably open a pull request to upgrade to the latest version, but for now I'm trying to keep the devise-security gem as similar as the version we were using to make sure they're compatible, particularly considering we're monkey-patching some of the modules provided by this gem. [1] https://github.com/devise-security/devise-security/releases/tag/v0.11.1
2020-10-02 13:16:13 +02:00
parent b1be0caa3b
commit dfb80b08c7
3 changed files with 8 additions and 12 deletions
--- a/config/initializers/devise-security.rb
+++ b/config/initializers/devise-security.rb
@@ -0,0 +1,72 @@
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+  config.expire_password_after = 1.year
+
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+
+  # Deny old password (true, false, count)
+  # config.deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: need an email validator like rails_email_validator
+  # config.email_validation = true
+
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end
+
+module Devise
+  module Models
+    module PasswordExpirable
+      def need_change_password?
+        self.administrator? && password_expired?
+      end
+
+      def password_expired?
+        self.password_changed_at < self.expire_password_after.ago
+      end
+    end
+
+    module SecureValidatable
+      def self.included(base)
+        base.extend ClassMethods
+        assert_secure_validations_api!(base)
+        base.class_eval do
+          validate :current_equal_password_validation
+        end
+      end
+
+      def current_equal_password_validation
+        if !self.new_record? && !self.encrypted_password_change.nil? && !self.erased?
+          dummy = self.class.new
+          dummy.encrypted_password = self.encrypted_password_change.first
+          dummy.password_salt = self.password_salt_change.first if self.respond_to?(:password_salt_change) && !self.password_salt_change.nil?
+          self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(self.password)
+        end
+      end
+    end
+  end
+end