action_auth 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2199e638d124811034db20d5d3cd6f0b23d56acf260d42e18f9559bf54405295
4
- data.tar.gz: ab312a35ead67087ab41cfb30f54a42696521924fb1e695870e87632742497d6
3
+ metadata.gz: c9adce01d4651e8af6f14f8738bb4f762512485d75640d9fd1993ef68fa6c37a
4
+ data.tar.gz: 9b0c5e31a61b57efef137cb9429de5015390da6a01ce6ce1bad200a3b881ccbb
5
5
  SHA512:
6
- metadata.gz: 53f6e3b604bc0037a751269cd16975e243e84ebd1018419764c88a2b60a8309455736b2b7a2ec1e6b29cb2970e4e0020348756fed9658400f32d2d3a2f3b179a
7
- data.tar.gz: 0ccad04b7a3e4ccbb50e80149b40d452364089600a2a5462ea2392ece13151f8903f65c491d8bd3dc5507ae6fac3ac6430ae18b0b0ac247acb434f898a3c3055
6
+ metadata.gz: 132b6dad72a8a2d4531febde70f32cb3e793ab98a23d48567a9ec7c2e62655737e9c5c608f302e011c10018e787422c2d4205a1739feea3aeb7849e82ea19c82
7
+ data.tar.gz: a4fed6bd6daf8ae5c2de6cdf3e4b46090a349a4426155d368d9ec94713e0b2e00288c4c199724253a9f96ac2722c0647e3382a2c1b0b23bdb196756a4d7b00c0
data/README.md CHANGED
@@ -15,12 +15,13 @@ user experience akin to that offered by the well-regarded Devise gem.
15
15
  - [Routes](#routes)
16
16
  - [Helper Methods](#helper-methods)
17
17
  - [Restricting and Changing Routes](#restricting-and-changing-routes)
18
- 5. [WebAuthn](#webauthn)
19
- 6. [Within Your Application](#within-your-application)
20
- 7. Customizing
18
+ 5. [Have I Been Pwned](#have-i-been-pwned)
19
+ 6. [WebAuthn](#webauthn)
20
+ 7. [Within Your Application](#within-your-application)
21
+ 8. Customizing
21
22
  - [Sign In Page](https://github.com/kobaltz/action_auth/wiki/Overriding-Sign-In-page-view)
22
- 7. [License](#license)
23
- 8. [Credits](#credits)
23
+ 9. [License](#license)
24
+ 10. [Credits](#credits)
24
25
 
25
26
  ## Breaking Changes
26
27
 
@@ -130,6 +131,8 @@ These are the planned features for ActionAuth. The ones that are checked off are
130
131
 
131
132
  ⏳ - OAuth with Google, Facebook, Github, Twitter, etc.
132
133
 
134
+ ✅ - Have I Been Pwned Integration
135
+
133
136
  ✅ - Account Deletion
134
137
 
135
138
  ⏳ - Account Lockout
@@ -206,13 +209,15 @@ versus a user that is not logged in.
206
209
  end
207
210
  root to: 'welcome#index'
208
211
 
209
- ## WebAuthn
212
+ ## Have I Been Pwned
210
213
 
211
- ActionAuth's approach for WebAuthn is simplicity. It is used as a multifactor authentication step,
212
- so users will still need to register their email address and password. Once the user is registered,
213
- they can add a Passkey to their account. The Passkey could be an iCloud Keychain, a hardware security
214
- key like a Yubikey, or a mobile device. If enabled and configured, the user will be prompted to use
215
- their Passkey after they log in.
214
+ [Have I Been Pwned](https://haveibeenpwned.com/) is a way that youre able to check if a password has been compromised in a data breach. This is a great way to ensure that your users are using secure passwords.
215
+
216
+ Add the `pwned` gem to your Gemfile. That's all you'll have to do to enable this functionality.
217
+
218
+ ```ruby
219
+ bundle add pwned
220
+ ```
216
221
 
217
222
  ## Magic Links
218
223
 
@@ -236,6 +241,13 @@ will want to style this to fit your application and have some kind of confirmati
236
241
  <%= button_to "Delete Account", action_auth.users_path, method: :delete %>
237
242
  </p>
238
243
  ```
244
+ ## WebAuthn
245
+
246
+ ActionAuth's approach for WebAuthn is simplicity. It is used as a multifactor authentication step,
247
+ so users will still need to register their email address and password. Once the user is registered,
248
+ they can add a Passkey to their account. The Passkey could be an iCloud Keychain, a hardware security
249
+ key like a Yubikey, or a mobile device. If enabled and configured, the user will be prompted to use
250
+ their Passkey after they log in.
239
251
 
240
252
  #### Configuration
241
253
 
@@ -2,6 +2,7 @@ module ActionAuth
2
2
  module Identity
3
3
  class PasswordResetsController < ApplicationController
4
4
  before_action :set_user, only: %i[ edit update ]
5
+ before_action :validate_pwned_password, only: :update
5
6
 
6
7
  def new
7
8
  end
@@ -41,6 +42,16 @@ module ActionAuth
41
42
  def send_password_reset_email
42
43
  UserMailer.with(user: @user).password_reset.deliver_later
43
44
  end
45
+
46
+ def validate_pwned_password
47
+ return unless ActionAuth.configuration.pwned_enabled?
48
+
49
+ pwned = Pwned::Password.new(params[:password])
50
+ if pwned.pwned?
51
+ @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
52
+ render :edit, status: :unprocessable_entity
53
+ end
54
+ end
44
55
  end
45
56
  end
46
57
  end
@@ -1,6 +1,7 @@
1
1
  module ActionAuth
2
2
  class PasswordsController < ApplicationController
3
3
  before_action :set_user
4
+ before_action :validate_pwned_password, only: :update
4
5
 
5
6
  def edit
6
7
  end
@@ -22,5 +23,15 @@ module ActionAuth
22
23
  def user_params
23
24
  params.permit(:password, :password_confirmation, :password_challenge).with_defaults(password_challenge: "")
24
25
  end
26
+
27
+ def validate_pwned_password
28
+ return unless ActionAuth.configuration.pwned_enabled?
29
+
30
+ pwned = Pwned::Password.new(params[:password])
31
+ if pwned.pwned?
32
+ @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
33
+ render :new, status: :unprocessable_entity
34
+ end
35
+ end
25
36
  end
26
37
  end
@@ -1,5 +1,7 @@
1
1
  module ActionAuth
2
2
  class RegistrationsController < ApplicationController
3
+ before_action :validate_pwned_password, only: :create
4
+
3
5
  def new
4
6
  @user = User.new
5
7
  end
@@ -23,12 +25,25 @@ module ActionAuth
23
25
  end
24
26
 
25
27
  private
26
- def user_params
27
- params.permit(:email, :password, :password_confirmation)
28
- end
29
28
 
30
- def send_email_verification
31
- UserMailer.with(user: @user).email_verification.deliver_later
29
+ def user_params
30
+ params.permit(:email, :password, :password_confirmation)
31
+ end
32
+
33
+ def send_email_verification
34
+ UserMailer.with(user: @user).email_verification.deliver_later
35
+ end
36
+
37
+ def validate_pwned_password
38
+ return unless ActionAuth.configuration.pwned_enabled?
39
+
40
+ pwned = Pwned::Password.new(params[:password])
41
+
42
+ if pwned.pwned?
43
+ @user = User.new(email: params[:email])
44
+ @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
45
+ render :new, status: :unprocessable_entity
32
46
  end
47
+ end
33
48
  end
34
49
  end
@@ -15,18 +15,18 @@
15
15
 
16
16
  <%= form.hidden_field :sid, value: params[:sid] %>
17
17
 
18
- <div>
18
+ <div class="mb-3">
19
19
  <%= form.label :password, "New password", style: "display: block" %>
20
20
  <%= form.password_field :password, required: true, autofocus: true, autocomplete: "new-password" %>
21
21
  <div>12 characters minimum.</div>
22
22
  </div>
23
23
 
24
- <div>
24
+ <div class="mb-3">
25
25
  <%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
26
26
  <%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
27
27
  </div>
28
28
 
29
29
  <div>
30
- <%= form.submit "Save changes" %>
30
+ <%= form.submit "Save changes", class: "btn btn-primary" %>
31
31
  </div>
32
32
  <% end %>
@@ -14,6 +14,7 @@ module ActionAuth
14
14
  @allow_user_deletion = true
15
15
  @default_from_email = "from@example.com"
16
16
  @magic_link_enabled = true
17
+ @pwned_enabled = defined?(Pwned)
17
18
  @verify_email_on_sign_in = true
18
19
  @webauthn_enabled = defined?(WebAuthn)
19
20
  @webauthn_origin = "http://localhost:3000"
@@ -21,16 +22,20 @@ module ActionAuth
21
22
  end
22
23
 
23
24
  def allow_user_deletion?
24
- @allow_user_deletion.respond_to?(:call) ? @allow_user_deletion.call : @allow_user_deletion
25
+ @allow_user_deletion == true
25
26
  end
26
27
 
27
28
  def magic_link_enabled?
28
- @magic_link_enabled.respond_to?(:call) ? @magic_link_enabled.call : @magic_link_enabled
29
+ @magic_link_enabled == true
29
30
  end
30
31
 
31
32
  def webauthn_enabled?
32
33
  @webauthn_enabled.respond_to?(:call) ? @webauthn_enabled.call : @webauthn_enabled
33
34
  end
34
35
 
36
+ def pwned_enabled?
37
+ @pwned_enabled.respond_to?(:call) ? @pwned_enabled.call : @pwned_enabled
38
+ end
39
+
35
40
  end
36
41
  end
@@ -1,3 +1,3 @@
1
1
  module ActionAuth
2
- VERSION = "1.2.0"
2
+ VERSION = "1.3.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: action_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dave Kimura
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-09 00:00:00.000000000 Z
11
+ date: 2024-08-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -125,7 +125,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
125
125
  - !ruby/object:Gem::Version
126
126
  version: '0'
127
127
  requirements: []
128
- rubygems_version: 3.5.16
128
+ rubygems_version: 3.5.17
129
129
  signing_key:
130
130
  specification_version: 4
131
131
  summary: A simple Rails engine for authorization.