action_auth 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c85ae94ede51ba040295cfca1ec2f6a46f412642bc3e3a3ada8fd102bec41ab
-  data.tar.gz: bf218c5419f6cf1a7f8eb5b70f0cbb58f9af1710be3222ee0a333075af32e5c5
+  metadata.gz: c9adce01d4651e8af6f14f8738bb4f762512485d75640d9fd1993ef68fa6c37a
+  data.tar.gz: 9b0c5e31a61b57efef137cb9429de5015390da6a01ce6ce1bad200a3b881ccbb
 SHA512:
-  metadata.gz: e09cef2c34868ff6e6bd0e4d81f6e5fa577d91c0b38d957f09b36aa48a2cf4a183b2ff0bc400c321eb03829aef23c3976188d108b3e9a2f6f887e2e3a86f7043
-  data.tar.gz: c3cce12a87a5bfdc1b785ed01cb2cbed07325f9e65150e4fe5e5a7b86c6f6a52f5357aad6d51510a9e87a92f389441b268462917f0ea619980d6d130bd681ad6
+  metadata.gz: 132b6dad72a8a2d4531febde70f32cb3e793ab98a23d48567a9ec7c2e62655737e9c5c608f302e011c10018e787422c2d4205a1739feea3aeb7849e82ea19c82
+  data.tar.gz: a4fed6bd6daf8ae5c2de6cdf3e4b46090a349a4426155d368d9ec94713e0b2e00288c4c199724253a9f96ac2722c0647e3382a2c1b0b23bdb196756a4d7b00c0

data/README.md

@@ -15,12 +15,13 @@ user experience akin to that offered by the well-regarded Devise gem.
    - [Routes](#routes)
    - [Helper Methods](#helper-methods)
    - [Restricting and Changing Routes](#restricting-and-changing-routes)
-5. [WebAuthn](#webauthn)
-6. [Within Your Application](#within-your-application)
-7. Customizing
+5. [Have I Been Pwned](#have-i-been-pwned)
+6. [WebAuthn](#webauthn)
+7. [Within Your Application](#within-your-application)
+8. Customizing
    - [Sign In Page](https://github.com/kobaltz/action_auth/wiki/Overriding-Sign-In-page-view)
-7. [License](#license)
-8. [Credits](#credits)
+9. [License](#license)
+10. [Credits](#credits)
 
 ## Breaking Changes
 
@@ -98,12 +99,13 @@ settings.
 
 ```ruby
 ActionAuth.configure do |config|
+  config.allow_user_deletion = true
+  config.default_from_email = "from@example.com"
+  config.magic_link_enabled = true
+  config.verify_email_on_sign_in = true
   config.webauthn_enabled = true
   config.webauthn_origin = "http://localhost:3000" # or "https://example.com"
   config.webauthn_rp_name = Rails.application.class.to_s.deconstantize
-  config.verify_email_on_sign_in = true
-  config.magic_link_enabled = true
-  config.default_from_email = "from@example.com"
 end
 ```
 
@@ -129,7 +131,9 @@ These are the planned features for ActionAuth. The ones that are checked off are
 
 ⏳ - OAuth with Google, Facebook, Github, Twitter, etc.
 
-⏳ - Account Deletion
+✅ - Have I Been Pwned Integration
+
+✅ - Account Deletion
 
 ⏳ - Account Lockout
 
@@ -205,6 +209,38 @@ versus a user that is not logged in.
     end
     root to: 'welcome#index'
 
+## Have I Been Pwned
+
+[Have I Been Pwned](https://haveibeenpwned.com/) is a way that youre able to check if a password has been compromised in a data breach. This is a great way to ensure that your users are using secure passwords.
+
+Add the `pwned` gem to your Gemfile. That's all you'll have to do to enable this functionality.
+
+```ruby
+bundle add pwned
+```
+
+## Magic Links
+
+Magic Links are a way to authenticate a user without requiring a password. This is done by sending
+an email to the user with a link that will log them in. This is a great way to allow users to log in
+without having to remember a password. This is especially useful for users who may not have a password
+manager or have a hard time remembering passwords.
+
+## Account Deletion
+
+Account deletion is a feature that is enabled by default. When a user deletes their account, the account
+is marked as deleted and the user is logged out. The user will no longer be able to log in with their
+email and password. The user will need to create a new account if they wish to continue using the application.
+
+Here's an example of how you may want to add a delete account button to your application. Obviously, you
+will want to style this to fit your application and have some kind of confirmation dialog.
+
+```
+<p>
+  Unhappy with the service?
+  <%= button_to "Delete Account", action_auth.users_path, method: :delete %>
+</p>
+```
 ## WebAuthn
 
 ActionAuth's approach for WebAuthn is simplicity. It is used as a multifactor authentication step,

data/app/controllers/action_auth/identity/password_resets_controller.rb

@@ -2,6 +2,7 @@ module ActionAuth
   module Identity
     class PasswordResetsController < ApplicationController
       before_action :set_user, only: %i[ edit update ]
+      before_action :validate_pwned_password, only: :update
 
       def new
       end
@@ -41,6 +42,16 @@ module ActionAuth
       def send_password_reset_email
         UserMailer.with(user: @user).password_reset.deliver_later
       end
+
+      def validate_pwned_password
+        return unless ActionAuth.configuration.pwned_enabled?
+
+        pwned = Pwned::Password.new(params[:password])
+        if pwned.pwned?
+          @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
+          render :edit, status: :unprocessable_entity
+        end
+      end
     end
   end
 end

data/app/controllers/action_auth/passwords_controller.rb

@@ -1,6 +1,7 @@
 module ActionAuth
   class PasswordsController < ApplicationController
     before_action :set_user
+    before_action :validate_pwned_password, only: :update
 
     def edit
     end
@@ -22,5 +23,15 @@ module ActionAuth
     def user_params
       params.permit(:password, :password_confirmation, :password_challenge).with_defaults(password_challenge: "")
     end
+
+    def validate_pwned_password
+      return unless ActionAuth.configuration.pwned_enabled?
+
+      pwned = Pwned::Password.new(params[:password])
+      if pwned.pwned?
+        @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
+        render :new, status: :unprocessable_entity
+      end
+    end
   end
 end

data/app/controllers/action_auth/registrations_controller.rb

@@ -1,5 +1,7 @@
 module ActionAuth
   class RegistrationsController < ApplicationController
+    before_action :validate_pwned_password, only: :create
+
     def new
       @user = User.new
     end
@@ -23,12 +25,25 @@ module ActionAuth
     end
 
     private
-      def user_params
-        params.permit(:email, :password, :password_confirmation)
-      end
 
-      def send_email_verification
-        UserMailer.with(user: @user).email_verification.deliver_later
+    def user_params
+      params.permit(:email, :password, :password_confirmation)
+    end
+
+    def send_email_verification
+      UserMailer.with(user: @user).email_verification.deliver_later
+    end
+
+    def validate_pwned_password
+      return unless ActionAuth.configuration.pwned_enabled?
+
+      pwned = Pwned::Password.new(params[:password])
+
+      if pwned.pwned?
+        @user = User.new(email: params[:email])
+        @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
+        render :new, status: :unprocessable_entity
       end
+    end
   end
 end

data/app/controllers/action_auth/users_controller.rb

@@ -0,0 +1,10 @@
+module ActionAuth
+  class UsersController < ApplicationController
+    before_action :authenticate_user!
+
+    def destroy
+      Current.user.destroy
+      redirect_to main_app.root_url, notice: "Your account has been deleted."
+    end
+  end
+end

data/app/views/action_auth/identity/password_resets/edit.html.erb

@@ -15,18 +15,18 @@
 
   <%= form.hidden_field :sid, value: params[:sid] %>
 
-  <div>
+  <div class="mb-3">
     <%= form.label :password, "New password", style: "display: block" %>
     <%= form.password_field :password, required: true, autofocus: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
 
-  <div>
+  <div class="mb-3">
     <%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
     <%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
 
   <div>
-    <%= form.submit "Save changes" %>
+    <%= form.submit "Save changes", class: "btn btn-primary" %>
   </div>
 <% end %>

data/config/routes.rb

@@ -3,13 +3,18 @@ ActionAuth::Engine.routes.draw do
   post "sign_in", to: "sessions#create"
   get  "sign_up", to: "registrations#new"
   post "sign_up", to: "registrations#create"
-  resources :sessions, only: [:index, :show, :destroy]
-  resource  :password, only: [:edit, :update]
+
   namespace :identity do
     resource :email,              only: [:edit, :update]
     resource :email_verification, only: [:show, :create]
     resource :password_reset,     only: [:new, :edit, :create, :update]
   end
+  resource  :password, only: [:edit, :update]
+  resources :sessions, only: [:index, :show, :destroy]
+
+  if ActionAuth.configuration.allow_user_deletion?
+    resource  :users, only: [:destroy]
+  end
 
   if ActionAuth.configuration.webauthn_enabled?
     resources :webauthn_credentials, only: [:new, :create, :destroy] do

data/lib/action_auth/configuration.rb

@@ -1,28 +1,40 @@
 module ActionAuth
   class Configuration
 
+    attr_accessor :allow_user_deletion
+    attr_accessor :default_from_email
+    attr_accessor :magic_link_enabled
+    attr_accessor :verify_email_on_sign_in
     attr_accessor :webauthn_enabled
     attr_accessor :webauthn_origin
     attr_accessor :webauthn_rp_name
-    attr_accessor :verify_email_on_sign_in
-    attr_accessor :magic_link_enabled
-    attr_accessor :default_from_email
+
 
     def initialize
+      @allow_user_deletion = true
+      @default_from_email = "from@example.com"
+      @magic_link_enabled = true
+      @pwned_enabled = defined?(Pwned)
+      @verify_email_on_sign_in = true
       @webauthn_enabled = defined?(WebAuthn)
       @webauthn_origin = "http://localhost:3000"
       @webauthn_rp_name = Rails.application.class.to_s.deconstantize
-      @verify_email_on_sign_in = true
-      @magic_link_enabled = true
-      @default_from_email = "from@example.com"
+    end
+
+    def allow_user_deletion?
+      @allow_user_deletion == true
+    end
+
+    def magic_link_enabled?
+      @magic_link_enabled == true
     end
 
     def webauthn_enabled?
       @webauthn_enabled.respond_to?(:call) ? @webauthn_enabled.call : @webauthn_enabled
     end
 
-    def magic_link_enabled?
-      @magic_link_enabled.respond_to?(:call) ? @magic_link_enabled.call : @magic_link_enabled
+    def pwned_enabled?
+      @pwned_enabled.respond_to?(:call) ? @pwned_enabled.call : @pwned_enabled
     end
 
   end

data/lib/action_auth/version.rb

@@ -1,3 +1,3 @@
 module ActionAuth
-  VERSION = "1.1.0"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_auth
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Dave Kimura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-09 00:00:00.000000000 Z
+date: 2024-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -61,6 +61,7 @@ files:
 - app/controllers/action_auth/passwords_controller.rb
 - app/controllers/action_auth/registrations_controller.rb
 - app/controllers/action_auth/sessions_controller.rb
+- app/controllers/action_auth/users_controller.rb
 - app/controllers/action_auth/webauthn_credential_authentications_controller.rb
 - app/controllers/action_auth/webauthn_credentials_controller.rb
 - app/helpers/action_auth/application_helper.rb
@@ -124,7 +125,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
+rubygems_version: 3.5.17
 signing_key:
 specification_version: 4
 summary: A simple Rails engine for authorization.