Added :paranoid_ip_verification options to disable being paranoid i…

…n ip address

lib/devise_security_extension.rb

@@ -82,6 +82,9 @@ module Devise
 
   mattr_accessor :reject_session_on_limit
   @@reject_session_on_limit = true
+
+  mattr_accessor :paranoid_ip_verification
+  @@paranoid_ip_verification = true
 end
 
 # an security extension for devise

lib/devise_security_extension/models/session_traceable.rb

@@ -27,7 +27,7 @@ module SessionTraceable
       end
 
       def self.required_fields(klass)
-        [:session_traceable_class]
+        [:session_traceable_class, :paranoid_ip_verification]
       end
 
       # Create new traceable session
@@ -43,6 +43,11 @@ def log_traceable_request!(options = {})
       #
       def accept_traceable_token?(token, options = {})
         opts = options.merge unique_auth_token_valid: true
+        if paranoid_ip_verification
+          opts[:ip_address] ||= nil
+        else
+          opts.delete(:ip_address)
+        end
         find_traceable_by_token(token, opts).present?
       end
 
@@ -71,6 +76,10 @@ def find_traceable_by_token(token, options = {})
         session_traceable_adapter.find_first opts
       end
 
+      def paranoid_ip_verification
+        self.class.paranoid_ip_verification
+      end
+
       private
 
       def generate_traceable_token
@@ -89,7 +98,7 @@ def session_traceable_condition(options = {})
       end
 
       module ClassMethods
-        ::Devise::Models.config(self, :session_traceable_class)
+        ::Devise::Models.config(self, :session_traceable_class, :paranoid_ip_verification)
       end
     end
   end

test/models/session_traceable_test.rb

@@ -3,7 +3,7 @@
 
 class TraceableTest < ActiveSupport::TestCase
   test 'required_fields should contain the fields that Devise uses' do
-    assert_same_content Devise::Models::SessionTraceable.required_fields(User), [:session_traceable_class]
+    assert_same_content Devise::Models::SessionTraceable.required_fields(User), [:session_traceable_class, :paranoid_ip_verification]
   end
 
   test 'custom session_traceable should not raise exception' do
@@ -32,10 +32,25 @@ class TraceableTest < ActiveSupport::TestCase
     assert_not_empty create_user.log_traceable_request!(default_options)
   end
 
+  test 'token should be paranoid with ip address' do
+    user = create_user
+    token = user.log_traceable_request!(default_options)
+
+    assert_not user.accept_traceable_token?(token)
+  end
+
   test 'token should be accepted' do
     user = create_user
     token = user.log_traceable_request!(default_options)
-    assert user.accept_traceable_token?(token)
+    assert user.accept_traceable_token?(token, default_options)
+  end
+
+  test 'token should be accepted even different ip if not paranoid_ip_verification' do
+    swap Devise, paranoid_ip_verification: false do
+      user = create_user
+      token = user.log_traceable_request!(default_options)
+      assert user.accept_traceable_token?(token, ip_address: '0.0.0.0')
+    end
   end
 
   test 'expiring token should not raise exception' do
@@ -54,6 +69,16 @@ class TraceableTest < ActiveSupport::TestCase
     assert_not user.accept_traceable_token?(token)
   end
 
+  test 'expired token should not be accepted even different ip if not paranoid_ip_verification' do
+    swap Devise, paranoid_ip_verification: false do
+      user = create_user
+      token = user.log_traceable_request!(default_options)
+      user.expire_session_token(token)
+
+      assert_not user.accept_traceable_token?(token, ip_address: '0.0.0.0')
+    end
+  end
+
   test 'last_accessed_at should be updated' do
     user = create_user
     token = user.log_traceable_request!(default_options)