action_auth 1.6.0 → 1.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0224e818bf936f4cd37a67bc6634e95d600774962f07796f88b7e66471273a8
-  data.tar.gz: 95281cb2e34de5fc9f91dcfb1eaca05263ebdedcc5ce4fec14223f27e2d6cf21
+  metadata.gz: 4db64b547fb30476de8606114e4a02fd4286c3f1535936847cb253dbe7122cae
+  data.tar.gz: 6c6db33a1cd8355ad9f53c22ff6a0e7cefe78f5e79e841694200921724619286
 SHA512:
-  metadata.gz: de4c8862b0a7ffdc2688c02d6e5b0cd2120b16d255dc2a63d5dfb2962cd99714ffd77bd80f41d2151f763fc6da44f025cb5092522d12d705db5b712fc88bb654
-  data.tar.gz: 7a2f3e28ae99f38d58955a3381e6aec6590c0f463b3e7d3d7294221f74bdb3580b2dbeed62d0148aca7346f3a3c7c9a59ce300d5d078b03053b7c08cb2cf3278
+  metadata.gz: 850b5731eeb33e46df11d2570df24955f7cabeab7ff31f4df0a87539af781b6f396f656baaa1404720c540d299375eeac2ba349e80d5d7767d08678b21e34091
+  data.tar.gz: 8024b8c5fb627c3aadf80d60f7b99860ca6b9a9ed168d6edcc7e3871d0e9ae8ca223a4efe1fbddebade7a3090a2c9daafc19736b6b934eb6ed66d247961e350c

data/README.md

@@ -16,12 +16,15 @@ user experience akin to that offered by the well-regarded Devise gem.
    - [Helper Methods](#helper-methods)
    - [Restricting and Changing Routes](#restricting-and-changing-routes)
 5. [Have I Been Pwned](#have-i-been-pwned)
-6. [WebAuthn](#webauthn)
-7. [Within Your Application](#within-your-application)
-8. Customizing
+6. [Magic Links](#magic-links)
+7. [SMS Authentication](#sms-authentication)
+8. [Account Deletion](#account-deletion)
+9. [WebAuthn](#webauthn)
+10. [Within Your Application](#within-your-application)
+11. Customizing
    - [Sign In Page](https://github.com/kobaltz/action_auth/wiki/Overriding-Sign-In-page-view)
-9. [License](#license)
-10. [Credits](#credits)
+12. [License](#license)
+13. [Credits](#credits)
 
 ## Breaking Changes
 
@@ -121,10 +124,19 @@ ActionAuth.configure do |config|
   config.magic_link_enabled = true
   config.passkey_only = true # Allows sign in with only a passkey
   config.pwned_enabled = true # defined?(Pwned)
+  config.sms_auth_enabled = false
   config.verify_email_on_sign_in = true
   config.webauthn_enabled = true # defined?(WebAuthn)
   config.webauthn_origin = "http://localhost:3000" # or "https://example.com"
   config.webauthn_rp_name = Rails.application.class.to_s.deconstantize
+
+  config.insert_cookie_domain = false
+end
+
+Rails.application.config.after_initialize do
+  ActionAuth.configure do |config|
+    config.sms_send_class = SmsSender
+  end
 end
 ```
 
@@ -152,6 +164,8 @@ These are the planned features for ActionAuth. The ones that are checked off are
 
 ⏳ - OAuth with Google, Facebook, Github, Twitter, etc.
 
+✅ - SMS Authentication
+
 ✅ - Have I Been Pwned Integration
 
 ✅ - Account Deletion
@@ -245,6 +259,50 @@ an email to the user with a link that will log them in. This is a great way to a
 without having to remember a password. This is especially useful for users who may not have a password
 manager or have a hard time remembering passwords.
 
+## SMS Authentication
+
+SMS Authentication is disabled by default. The purpose of this is to allow users to authenticate
+with a phone number. This is useful and specific to applications that may require a phone number
+instead of an email address for authentication. The basic workflow for this is to register a phone
+number, and then send a code to the phone number. The user will then enter the code to authenticate.
+
+No password or email is required for this. I do not recommend enabling this feature for most applications.
+
+You must set up your own SMS Provider. This is not included in the gem. You will need to configure the
+`sms_send_class` to send the SMS code. This will expect a class method called `send_code` that will take in the parameters
+`phone_number` and `code`.
+
+```ruby
+require 'twilio-ruby'
+
+class SmsSender
+  def self.send_code(phone_number, code)
+    account_sid = ENV['TWILIO_ACCOUNT_SID']
+    auth_token = ENV['TWILIO_AUTH_TOKEN']
+    from_number = ENV['TWILIO_PHONE_NUMBER']
+
+    client = Twilio::REST::Client.new(account_sid, auth_token)
+
+    client.messages.create(
+      from: from_number,
+      to: phone_number,
+      body: "Your verification code is #{code}"
+    )
+  end
+end
+```
+
+Since this file could live in the `app/models` or elsewhere, we will need to set its configuration after the Rails
+application has been loaded. This can be done in an initializer.
+
+```ruby
+Rails.application.config.after_initialize do
+  ActionAuth.configure do |config|
+    config.sms_send_class = SmsSender
+  end
+end
+```
+
 ## Account Deletion
 
 Account deletion is a feature that is enabled by default. When a user deletes their account, the account
@@ -260,6 +318,7 @@ will want to style this to fit your application and have some kind of confirmati
   <%= button_to "Delete Account", action_auth.users_path, method: :delete %>
 </p>
 ```
+
 ## WebAuthn
 
 ActionAuth's approach for WebAuthn is simplicity. It is used as a multifactor authentication step,

data/app/assets/stylesheets/action_auth/application.css

@@ -54,6 +54,8 @@ body {
 
 input[type="text"],
 input[type="email"],
+input[type="number"],
+input[type="tel"],
 input[type="password"] {
   -webkit-text-size-adjust: 100%;
   -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
@@ -186,6 +188,8 @@ input[type="password"] {
 
   input[type="text"],
   input[type="email"],
+  input[type="number"],
+  input[type="tel"],
   input[type="password"] {
     color: #d5c4a1;
     background-color: #282828;

data/app/controllers/action_auth/sessions_controller.rb

@@ -19,7 +19,9 @@ module ActionAuth
         else
           return if check_if_email_is_verified(user)
           @session = user.sessions.create
-          cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+          session_token_hash = { value: @session.id, httponly: true }
+          session_token_hash[:domain] = :all if ActionAuth.configuration.insert_cookie_domain
+          cookies.signed.permanent[:session_token] = session_token_hash
           redirect_to main_app.root_path, notice: "Signed in successfully"
         end
       else

data/app/controllers/action_auth/sms_auths/requests_controller.rb

@@ -0,0 +1,31 @@
+module ActionAuth
+  class SmsAuths::RequestsController < ApplicationController
+    def new
+    end
+
+    def create
+      @user = User.find_or_initialize_by(phone_number: params[:phone_number])
+      if @user.new_record?
+        password = SecureRandom.hex(32)
+
+        @user.email = "#{SecureRandom.hex(32)}@smsauth"
+        @user.password = password
+        @user.password_confirmation = password
+        @user.verified = false
+
+        @user.save!
+      end
+
+      code = rand(100_000..999_999)
+      @user.update!(sms_code: code, sms_code_sent_at: Time.current)
+      cookies.signed[:sms_auth_phone_number] = { value: @user.phone_number, httponly: true }
+
+      if defined?(ActionAuth.configuration.sms_send_class) &&
+        ActionAuth.configuration.sms_send_class.respond_to?(:send_code)
+        ActionAuth.configuration.sms_send_class.send_code(@user.phone_number, code)
+      end
+
+      redirect_to sms_auths_sign_ins_path, notice: "Check your phone for a SMS Code."
+    end
+  end
+end

data/app/controllers/action_auth/sms_auths/sign_ins_controller.rb

@@ -0,0 +1,27 @@
+module ActionAuth
+  class SmsAuths::SignInsController < ApplicationController
+    def show
+      @user = ActionAuth::User.find_by(phone_number: params[:phone_number])
+    end
+
+    def create
+      user = ActionAuth::User.find_by(
+        phone_number: cookies.signed[:sms_auth_phone_number],
+        sms_code: params[:sms_code],
+        sms_code_sent_at: 5.minutes.ago..Time.current
+      )
+      if user
+        @session = user.sessions.create
+        cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+        user.update(
+          verified: true,
+          sms_code: nil,
+          sms_code_sent_at: nil
+        )
+        redirect_to main_app.root_path, notice: "Signed In"
+      else
+        redirect_to sign_in_path, alert: "Authentication failed, please try again."
+      end
+    end
+  end
+end

data/app/models/action_auth/user.rb

@@ -26,7 +26,15 @@ module ActionAuth
 
     validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
     validates :password, allow_nil: true, length: { minimum: 12 }
-
+    validates :phone_number,
+              allow_nil: true,
+              uniqueness: true,
+              format: {
+                with: /\A\+\d+\z/,
+                message: "must be a valid international phone number with digits only after the country code"
+              }
+
+    normalizes :phone_number, with: -> phone_number { phone_number.gsub(/[^+\d]/, '') }
     normalizes :email, with: -> email { email.strip.downcase }
 
     before_validation if: :email_changed?, on: :update do

data/app/views/action_auth/registrations/new.html.erb

@@ -39,6 +39,9 @@
   <% if ActionAuth.configuration.magic_link_enabled? %>
     <%= link_to "Magic Link", new_magics_requests_path %> |
   <% end %>
+  <% if ActionAuth.configuration.sms_auth_enabled? %>
+    <%= link_to "SMS Auth", new_sms_auths_requests_path %> |
+  <% end %>
   <% if ActionAuth.configuration.passkey_only? %>
     <%= link_to "Passkey", new_sessions_passkey_path %> |
   <% end %>

data/app/views/action_auth/sessions/new.html.erb

@@ -20,6 +20,10 @@
       <span class="mx-3">or</span>
       <%= link_to "Magic Link", new_magics_requests_path %>
     <% end %>
+    <% if ActionAuth.configuration.sms_auth_enabled? %>
+      <span class="mx-3">or</span>
+      <%= link_to "SMS Auth", new_sms_auths_requests_path %> |
+    <% end %>
     <% if ActionAuth.configuration.passkey_only? %>
       <span class="mx-3">or</span>
       <%= link_to "Passkey", new_sessions_passkey_path %>

data/app/views/action_auth/sms_auths/requests/new.html.erb

@@ -0,0 +1,26 @@
+<h1>Request SMS Code</h1>
+
+<%= form_with(url: sms_auths_requests_path) do |form| %>
+  <div class="mb-3">
+    <%= form.label :phone_number, style: "display: block" %>
+    <%= form.telephone_field :phone_number, required: true, autofocus: true, autocomplete: "mobile" %>
+  </div>
+
+  <div class="mb-3">
+    <%= form.submit "Request SMS Code", class: "btn btn-primary" %>
+    <span class="mx-3">or</span>
+    <%= link_to "Sign In", sign_in_path %>
+    <% if ActionAuth.configuration.passkey_only? %>
+      <span class="mx-3">or</span>
+      <%= link_to "Passkey", new_sessions_passkey_path %>
+    <% end %>
+  </div>
+<% end %>
+
+<div class="mb-3">
+  <%= link_to "Sign Up", sign_up_path %> |
+  <%= link_to "Reset Password", new_identity_password_reset_path %>
+  <% if ActionAuth.configuration.verify_email_on_sign_in %>
+    | <%= link_to "Verify Email", identity_email_verification_path %>
+  <% end %>
+</div>

data/app/views/action_auth/sms_auths/sign_ins/show.html.erb

@@ -0,0 +1,14 @@
+<h1>Verify SMS Code</h1>
+
+<%= form_with(url: sms_auths_sign_ins_path) do |form| %>
+  <%= form.hidden_field :phone_number, value: cookies.signed[:sms_auth_phone_number] %>
+  <div class="mb-3">
+    <%= form.label :sms_code, style: "display: block" %>
+    <%= form.number_field :sms_code, required: true, autofocus: true, autocomplete: "one-time-code" %>
+  </div>
+
+  <div class="mb-3">
+    <%= form.submit "Sign In", class: "btn btn-primary" %>
+  </div>
+<% end %>
+

data/config/routes.rb

@@ -35,4 +35,11 @@ ActionAuth::Engine.routes.draw do
       resource :requests, only: [:new, :create]
     end
   end
+
+  if ActionAuth.configuration.sms_auth_enabled?
+    namespace :sms_auths do
+      resource :sign_ins, only: [:show, :create]
+      resource :requests, only: [:new, :create]
+    end
+  end
 end

data/db/migrate/20241020172209_add_phone_number_to_users.rb

@@ -0,0 +1,7 @@
+class AddPhoneNumberToUsers < ActiveRecord::Migration[7.2]
+  def change
+    add_column :users, :phone_number, :string
+    add_column :users, :sms_code, :string
+    add_column :users, :sms_code_sent_at, :datetime
+  end
+end

data/lib/action_auth/configuration.rb

@@ -6,11 +6,14 @@ module ActionAuth
     attr_accessor :magic_link_enabled
     attr_accessor :passkey_only
     attr_accessor :pwned_enabled
+    attr_accessor :sms_auth_enabled
+    attr_accessor :sms_send_class
     attr_accessor :verify_email_on_sign_in
     attr_accessor :webauthn_enabled
     attr_accessor :webauthn_origin
     attr_accessor :webauthn_rp_name
 
+    attr_accessor :insert_cookie_domain
 
     def initialize
       @allow_user_deletion = true
@@ -18,10 +21,14 @@ module ActionAuth
       @magic_link_enabled = true
       @passkey_only = true
       @pwned_enabled = defined?(Pwned)
+      @sms_auth_enabled = false
+      @sms_send_class = nil
       @verify_email_on_sign_in = true
       @webauthn_enabled = defined?(WebAuthn)
       @webauthn_origin = "http://localhost:3000"
       @webauthn_rp_name = Rails.application.class.to_s.deconstantize
+
+      @insert_cookie_domain = false
     end
 
     def allow_user_deletion?
@@ -32,6 +39,10 @@ module ActionAuth
       @magic_link_enabled == true
     end
 
+    def sms_auth_enabled?
+      @sms_auth_enabled == true
+    end
+
     def passkey_only?
       webauthn_enabled? && @passkey_only == true
     end

data/lib/action_auth/version.rb

@@ -1,3 +1,3 @@
 module ActionAuth
-  VERSION = "1.6.0"
+  VERSION = "1.7.1"
 end

data/lib/tasks/action_auth_tasks.rake

@@ -13,10 +13,18 @@ namespace :action_auth do
           #   config.magic_link_enabled = true
           #   config.passkey_only = true # Allows sign in with only a passkey
           #   config.pwned_enabled = true # defined?(Pwned)
+          #   config.sms_auth_enabled = false
           #   config.verify_email_on_sign_in = true
           #   config.webauthn_enabled = true # defined?(WebAuthn)
           #   config.webauthn_origin = "http://localhost:3000" # or "https://example.com"
           #   config.webauthn_rp_name = Rails.application.class.to_s.deconstantize
+          #   config.insert_cookie_domain = false
+          # end
+          #
+          # Rails.application.config.after_initialize do
+          #   ActionAuth.configure do |config|
+          #     config.sms_send_class = SmsSender
+          #   end
           # end
         RUBY
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_auth
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.1
 platform: ruby
 authors:
 - Dave Kimura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-28 00:00:00.000000000 Z
+date: 2024-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -62,6 +62,8 @@ files:
 - app/controllers/action_auth/registrations_controller.rb
 - app/controllers/action_auth/sessions/passkeys_controller.rb
 - app/controllers/action_auth/sessions_controller.rb
+- app/controllers/action_auth/sms_auths/requests_controller.rb
+- app/controllers/action_auth/sms_auths/sign_ins_controller.rb
 - app/controllers/action_auth/users_controller.rb
 - app/controllers/action_auth/webauthn_credential_authentications_controller.rb
 - app/controllers/action_auth/webauthn_credentials_controller.rb
@@ -83,6 +85,8 @@ files:
 - app/views/action_auth/sessions/index.html.erb
 - app/views/action_auth/sessions/new.html.erb
 - app/views/action_auth/sessions/passkeys/new.html.erb
+- app/views/action_auth/sms_auths/requests/new.html.erb
+- app/views/action_auth/sms_auths/sign_ins/show.html.erb
 - app/views/action_auth/user_mailer/email_verification.html.erb
 - app/views/action_auth/user_mailer/email_verification.text.erb
 - app/views/action_auth/user_mailer/magic_link.html.erb
@@ -99,6 +103,7 @@ files:
 - db/migrate/20240111125859_add_webauthn_credentials.rb
 - db/migrate/20240111142545_add_webauthn_id_to_users.rb
 - db/migrate/20240818032321_add_type_to_webauthn_credentials.rb
+- db/migrate/20241020172209_add_phone_number_to_users.rb
 - lib/action_auth.rb
 - lib/action_auth/configuration.rb
 - lib/action_auth/controllers/helpers.rb
@@ -128,7 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.20
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: A simple Rails engine for authorization.