Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add expiring, databaseless password reset tokens #682

Closed
wants to merge 13 commits into from

Commits on May 13, 2016

  1. Configuration menu
    Copy the full SHA
    10003db View commit details
    Browse the repository at this point in the history
  2. Stop supporting older versions of Ruby and Rails

    - Remove support for Ruby 1.9, 2.0, and 2.1
    - Remove support for Rails 3.1, 3.2, 4.0, and 4.1
    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    b10a63f View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    6dd080f View commit details
    Browse the repository at this point in the history
  4. Use flash alerts rather than notices

    These messages are used to tell users they can't access a page without
    signing in, that their password is incorrect, etc. These are much closer
    to error or alert states than notice.
    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    5263be0 View commit details
    Browse the repository at this point in the history
  5. Configuration menu
    Copy the full SHA
    c6f251b View commit details
    Browse the repository at this point in the history
  6. Remove unused method

    `PasswordsController#url_after_create` was never called by our code.
    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    f30b60d View commit details
    Browse the repository at this point in the history
  7. Configuration menu
    Copy the full SHA
    9ae46df View commit details
    Browse the repository at this point in the history
  8. Update RSpec dependency

    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    3313a7e View commit details
    Browse the repository at this point in the history
  9. Remove conditionals for older versions of Rails

    These `respond_to` checks were added to support changing Rails API as
    new versions of Rails were released. Now that we support 4.2 or newer,
    we don't need them.
    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    0fb0696 View commit details
    Browse the repository at this point in the history
  10. Clean up passwords controller

    * Remove deprecated parameter handling
    * Order actions more logically
    * Update to double quotes
    derekprior committed May 13, 2016
    Configuration menu
    Copy the full SHA
    64047ca View commit details
    Browse the repository at this point in the history

Commits on May 20, 2016

  1. Add expiring, databaseless password reset tokens

    It is a best security practice for password reset token to expire after
    some amount of time. In Clearance 1.x, this was not the case. A password
    reset email could be used months after it was originally sent so long as
    no other password reset was ever completed.
    
    In this change, password resets expire after 15 minutes (configurable)
    or after the user successfully changes their password in any manner
    (whichever comes first).
    
    The token, confusingly called `confirmation_token`, is no longer stored
    in the database. Instead, we use `ActiveSupport::MessageVerifier` to
    sign the token and validate it when it is used. The message verifier is
    configurable in case developers want to use something else.
    
    In a future refactoring, I'd like to introduce a layer between Clearance
    and `ActiveSupport::MessageVerifier` to make the API a bit more pleasant
    to use, but this is an exercise for a future PR. For instance, I'd
    prefer that the Clearance abstraction generate and validate tokens only
    by taking a user object (and using the Clearance configuration).
    Derek Prior & Melissa Xie authored and derekprior committed May 20, 2016
    Configuration menu
    Copy the full SHA
    13b31ac View commit details
    Browse the repository at this point in the history
  2. Extract PasswordResetToken

    This cleans up some of the duplication of knowledge for how password
    reset tokens are generated and allows us to move tests for the various
    ways a reset token can be invalid into unit tests.
    derekprior committed May 20, 2016
    Configuration menu
    Copy the full SHA
    c3426a2 View commit details
    Browse the repository at this point in the history
  3. Use digested encrypted password in reset tokens

    We were previously using the encrypted password as part of the signed
    password reset token. Theoretically, emailing this token out could
    expose the encrypted password to some adversary who would then be able
    to do offline attacks against it.
    
    This would likely not be very successful, but in an abundance of
    caution, this change exposes an MD5'd version of the encrypted password
    instead.
    derekprior committed May 20, 2016
    Configuration menu
    Copy the full SHA
    b88990c View commit details
    Browse the repository at this point in the history