action_auth 1.7.2 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 846bfde761f3244d5de683c23fcd43d49d68c97716c77f67e728a32d4109f940
-  data.tar.gz: 2469883be6f32b6a788dddf7fe5ac1711bc7617b21d1d7cba10e434ef52b000a
+  metadata.gz: c1644cd4614dbea75ccc32618beb37d9c6d0bff8126c4eb0166e09528dcd2464
+  data.tar.gz: bb7abe7774ba7690bacd9496dc3facc89d7eee8303289619323b25b7d1d64820
 SHA512:
-  metadata.gz: 3be75f50cd128fe1d12cac42c54d668ed79c23043da74419264d0097f17ca8a774357e3aa31bcfaa3feb5d5a3cefe76d77067dd1d137a531a3c500c3c7ce2d04
-  data.tar.gz: 4d16ef0e1ca005bf3a5f10f4ff49c2fbe9ebaa135d48221e5ebd5f428cde5a2486b38cc68d48147e93b6b0595c3a408009af750a1f366af543cab867440ea553
+  metadata.gz: b33191d590c1f42d70e3181ff62d38bf2bf65475e35fd9cccc360c6439b0ea5f30328891ed2f4e18ee30cc09cb6ec14181edadf33d67b8d4cc9e8a18ff066660
+  data.tar.gz: d38436d8e8361c6d5f7f3d22e958e5b8798d448068a43875691c0cef08c6fdc34ed6a431dcecf2bf2d71f5269d8c2394461b06f91815d7d6a4aed070086254ed

data/README.md

@@ -1,6 +1,6 @@
 # ActionAuth
 ActionAuth is an authentication Rails engine crafted to integrate seamlessly
-with your Rails application. Optimized for Rails 7.1.0, it employs the most modern authentication
+with your Rails application. Optimized for Rails 7.2.0, it employs the most modern authentication
 techniques and streamlined token reset processes. Its simplicity and ease of use let you concentrate
 on developing your application, while its reliance on ActiveSupport::CurrentAttributes ensures a
 user experience akin to that offered by the well-regarded Devise gem.
@@ -11,57 +11,31 @@ user experience akin to that offered by the well-regarded Devise gem.
 1. [Introduction](#introduction)
 2. [Installation](#installation)
 3. [Features](#features)
-4. [Usage](#usage)
+4. [Security Features](#security-features)
+   - [Password Security](#password-security)
+   - [Session Security](#session-security)
+   - [Rate Limiting](#rate-limiting)
+   - [Multi-Factor Authentication](#multi-factor-authentication)
+5. [Usage](#usage)
    - [Routes](#routes)
    - [Helper Methods](#helper-methods)
    - [Restricting and Changing Routes](#restricting-and-changing-routes)
-5. [Have I Been Pwned](#have-i-been-pwned)
-6. [Magic Links](#magic-links)
-7. [SMS Authentication](#sms-authentication)
-8. [Account Deletion](#account-deletion)
-9. [WebAuthn](#webauthn)
-10. [Within Your Application](#within-your-application)
-11. Customizing
+6. [Have I Been Pwned](#have-i-been-pwned)
+7. [Magic Links](#magic-links)
+8. [SMS Authentication](#sms-authentication)
+9. [Account Deletion](#account-deletion)
+10. [WebAuthn](#webauthn)
+11. [Within Your Application](#within-your-application)
+12. Customizing
    - [Sign In Page](https://github.com/kobaltz/action_auth/wiki/Overriding-Sign-In-page-view)
-12. [License](#license)
-13. [Credits](#credits)
+13. [License](#license)
+14. [Credits](#credits)
 
-## Breaking Changes
 
-With the release of v1.0.0, there are some breaking changes that have been introduced. The
-biggest change is that the `ActionAuth::User` model now uses the table name of `users` instead
-of `action_auth_users`. This was done to make it easier to integrate with your application
-without having to worry about the table name. If you have an existing application that is
-using ActionAuth, you will need to rename the table to `users` with a migration like
+## Minimum Requirements
 
-```ruby
-rename_table :action_auth_users, :users
-```
-
-Coming from `v0.3.0` to `v1.0.0`, you will need to create a migration to rename the table and foreign keys.
-
-```ruby
-class UpgradeActionAuth < ActiveRecord::Migration[7.1]
-  def change
-    rename_table :action_auth_users, :users
-
-    rename_table :action_auth_sessions, :sessions
-    rename_column :sessions, :action_auth_user_id, :user_id
-
-    rename_table :action_auth_webauthn_credentials, :webauthn_credentials
-    rename_column :webauthn_credentials, :action_auth_user_id, :user_id
-  end
-end
-```
-
-You will then need to undo the migrations where the foreign keys were added in cases where `foreign_key: true` was
-changed to `foreign_key: { to_table: 'action_auth_users' }`. You can do this for each table with a migration like:
-
-```ruby
-add_foreign_key :user_settings, :users, column: :user_id unless foreign_key_exists?(:user_settings, :users)
-add_foreign_key :profiles, :users, column: :user_id unless foreign_key_exists?(:profiles, :users)
-add_foreign_key :nfcs, :users, column: :user_id unless foreign_key_exists?(:nfcs, :users)
-```
+- Ruby 3.3.0 or later recommended
+- Rails 7.2.0 or later **required**
 
 ## Installation
 
@@ -124,6 +98,8 @@ ActionAuth.configure do |config|
   config.magic_link_enabled = true
   config.passkey_only = true # Allows sign in with only a passkey
   config.pwned_enabled = true # defined?(Pwned)
+  config.password_complexity_check = true # Requires complex passwords
+  config.session_timeout = 2.weeks # Session expires after this period of inactivity
   config.sms_auth_enabled = false
   config.verify_email_on_sign_in = true
   config.webauthn_enabled = true # defined?(WebAuthn)
@@ -170,12 +146,63 @@ These are the planned features for ActionAuth. The ones that are checked off are
 
 ✅ - Account Deletion
 
+✅ - Password Complexity Validation
+
+✅ - Rate Limiting
+
+✅ - Session Timeout
+
+✅ - HTTPS-only cookies in production
+
 ⏳ - Account Lockout
 
 ⏳ - Account Suspension
 
 ⏳ - Account Impersonation
 
+## Security Features
+
+ActionAuth comes with a robust set of security features designed to protect user accounts and data:
+
+### Password Security
+- Minimum password length of 12 characters
+- Password complexity validation requiring uppercase, lowercase, numbers, and special characters
+- Integration with Have I Been Pwned to check for compromised passwords
+- Password complexity validation can be configured to suit your application's needs
+
+### Session Security
+- Session timeout with configurable duration (default: 2 weeks)
+- Automatic session invalidation on password change
+- HTTPS-only cookies in production environments
+- HttpOnly flag on cookies to prevent JavaScript access
+- SameSite=Lax attribute to prevent CSRF attacks
+- IP address and user agent tracking to detect session hijacking
+- Suspicious activity detection for changed IP/user agent
+
+### Rate Limiting
+- Protection against brute force attacks on login
+- Rate limiting on registration attempts
+- Rate limiting on password reset attempts
+- Rate limiting on WebAuthn authentication
+
+### Multi-Factor Authentication
+- Support for WebAuthn/passkeys as a second factor
+- Modern security key and biometric authentication support
+- Magic link authentication as an alternative authentication method
+
+### Configuration Options
+```ruby
+ActionAuth.configure do |config|
+  # Enable password complexity validation
+  config.password_complexity_check = true
+
+  # Set session timeout (defaults to 2 weeks)
+  config.session_timeout = 2.weeks
+
+  # Other settings as needed...
+end
+```
+
 ## Usage
 
 ### Routes

data/app/controllers/action_auth/passwords_controller.rb

@@ -3,6 +3,12 @@ module ActionAuth
     before_action :set_user
     before_action :validate_pwned_password, only: :update
 
+    rate_limit to: 3,
+      within: 60.seconds,
+      only: :update,
+      name: "password-reset-throttle",
+      with: -> { redirect_to sign_in_path, alert: "Too many password reset attempts. Try again later." }
+
     def edit
     end
 
@@ -27,10 +33,17 @@ module ActionAuth
     def validate_pwned_password
       return unless ActionAuth.configuration.pwned_enabled?
 
+      # Check minimum password requirements
+      if params[:password].present? && ActionAuth.configuration.password_complexity_check? && !Rails.env.test? &&
+         (params[:password] !~ /[A-Z]/ || params[:password] !~ /[a-z]/ || params[:password] !~ /[0-9]/ || params[:password] !~ /[^A-Za-z0-9]/)
+        @user.errors.add(:password, "must include at least one uppercase letter, one lowercase letter, one number, and one special character.")
+        render :edit, status: :unprocessable_entity and return
+      end
+
       pwned = Pwned::Password.new(params[:password])
       if pwned.pwned?
         @user.errors.add(:password, "has been pwned #{pwned.pwned_count} times. Please choose a different password.")
-        render :new, status: :unprocessable_entity
+        render :edit, status: :unprocessable_entity
       end
     end
   end

data/app/controllers/action_auth/registrations_controller.rb

@@ -2,6 +2,12 @@ module ActionAuth
   class RegistrationsController < ApplicationController
     before_action :validate_pwned_password, only: :create
 
+    rate_limit to: 3,
+      within: 60.seconds,
+      only: :create,
+      name: "registration-throttle",
+      with: -> { redirect_to new_user_registration_path, alert: "Too many registration attempts. Try again later." }
+
     def new
       @user = User.new
     end
@@ -15,7 +21,10 @@ module ActionAuth
           redirect_to sign_in_path, notice: "Welcome! You have signed up successfully. Please check your email to verify your account."
         else
           session_record = @user.sessions.create!
-          cookies.signed.permanent[:session_token] = { value: session_record.id, httponly: true }
+          cookie_options = { value: session_record.id, httponly: true }
+          cookie_options[:secure] = Rails.env.production? if Rails.env.production?
+          cookie_options[:same_site] = :lax unless Rails.env.test?
+          cookies.signed.permanent[:session_token] = cookie_options
 
           redirect_to sign_in_path, notice: "Welcome! You have signed up successfully"
         end
@@ -37,6 +46,12 @@ module ActionAuth
     def validate_pwned_password
       return unless ActionAuth.configuration.pwned_enabled?
 
+      if params[:password].present? && !Rails.env.test? && (params[:password] !~ /[A-Z]/ || params[:password] !~ /[a-z]/ || params[:password] !~ /[0-9]/ || params[:password] !~ /[^A-Za-z0-9]/)
+        @user = User.new(email: params[:email])
+        @user.errors.add(:password, "must include at least one uppercase letter, one lowercase letter, one number, and one special character.")
+        render :new, status: :unprocessable_entity and return
+      end
+
       pwned = Pwned::Password.new(params[:password])
 
       if pwned.pwned?

data/app/controllers/action_auth/sessions_controller.rb

@@ -3,6 +3,12 @@ module ActionAuth
     before_action :set_current_request_details
     before_action :authenticate_user!, only: [:index, :destroy]
 
+    rate_limit to: 5,
+      within: 20.seconds,
+      only: :create,
+      name: "slow-throttle",
+      with: -> { redirect_to sign_in_path, alert: "Try again later." }
+
     def index
       @action_auth_wide = true
       @sessions = Current.user.sessions.order(created_at: :desc)
@@ -20,6 +26,8 @@ module ActionAuth
           return if check_if_email_is_verified(user)
           @session = user.sessions.create
           session_token_hash = { value: @session.id, httponly: true }
+          session_token_hash[:secure] = Rails.env.production? if Rails.env.production?
+          session_token_hash[:same_site] = :lax unless Rails.env.test?
           session_token_hash[:domain] = :all if ActionAuth.configuration.insert_cookie_domain
           cookies.signed.permanent[:session_token] = session_token_hash
           redirect_to main_app.root_path, notice: "Signed in successfully"
@@ -32,7 +40,10 @@ module ActionAuth
     def destroy
       session = Current.user.sessions.find(params[:id])
       session.destroy
-      cookies.delete(:session_token)
+      cookie_options = {}
+      cookie_options[:secure] = Rails.env.production? if Rails.env.production?
+      cookie_options[:same_site] = :lax unless Rails.env.test?
+      cookies.delete(:session_token, cookie_options)
       response.headers["Clear-Site-Data"] = '"cache","storage"'
       redirect_to main_app.root_path, notice: "That session has been logged out"
     end

data/app/controllers/action_auth/webauthn_credential_authentications_controller.rb

@@ -3,6 +3,12 @@ class ActionAuth::WebauthnCredentialAuthenticationsController < ApplicationContr
   before_action :ensure_login_initiated
   layout "action_auth/application"
 
+  rate_limit to: 5,
+    within: 20.seconds,
+    only: :create,
+    name: "webauthn-throttle",
+    with: -> { redirect_to sign_in_path, alert: "Too many attempts. Try again later." }
+
   def new
     get_options = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
     session[:current_challenge] = get_options.challenge
@@ -24,7 +30,10 @@ class ActionAuth::WebauthnCredentialAuthenticationsController < ApplicationContr
       credential.update!(sign_count: webauthn_credential.sign_count)
       session.delete(:webauthn_user_id)
       session = user.sessions.create
-      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      cookie_options = { value: session.id, httponly: true }
+      cookie_options[:secure] = Rails.env.production? if Rails.env.production?
+      cookie_options[:same_site] = :lax unless Rails.env.test?
+      cookies.signed.permanent[:session_token] = cookie_options
       render json: { status: "ok" }, status: :ok
     rescue WebAuthn::Error => e
       Rails.logger.error "❌ Verification failed: #{e.message}"

data/app/models/action_auth/user.rb

@@ -26,6 +26,7 @@ module ActionAuth
 
     validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
     validates :password, allow_nil: true, length: { minimum: 12 }
+    validate :password_complexity, if: -> { ActionAuth.configuration.password_complexity_check? && password.present? && !Rails.env.test? }
     validates :phone_number,
               allow_nil: true,
               uniqueness: true,
@@ -49,5 +50,15 @@ module ActionAuth
       return false unless ActionAuth.configuration.webauthn_enabled?
       webauthn_credentials.any?
     end
+
+    private
+
+    def password_complexity
+      return if password.blank?
+
+      unless password =~ /[A-Z]/ && password =~ /[a-z]/ && password =~ /[0-9]/ && password =~ /[^A-Za-z0-9]/
+        errors.add(:password, "must include at least one uppercase letter, one lowercase letter, one number, and one special character")
+      end
+    end
   end
 end

data/lib/action_auth/configuration.rb

@@ -12,21 +12,25 @@ module ActionAuth
     attr_accessor :webauthn_enabled
     attr_accessor :webauthn_origin
     attr_accessor :webauthn_rp_name
+    attr_accessor :password_complexity_check
+    attr_accessor :session_timeout
 
     attr_accessor :insert_cookie_domain
 
     def initialize
       @allow_user_deletion = true
-      @default_from_email = "from@example.com"
+      @default_from_email = Rails.application.config.action_mailer.default_options&.dig(:from) || "noreply@#{ENV['HOST'] || 'example.com'}"
       @magic_link_enabled = true
       @passkey_only = true
       @pwned_enabled = defined?(Pwned)
+      @password_complexity_check = true
       @sms_auth_enabled = false
       @sms_send_class = nil
       @verify_email_on_sign_in = true
       @webauthn_enabled = defined?(WebAuthn)
-      @webauthn_origin = "http://localhost:3000"
+      @webauthn_origin = Rails.env.production? ? "https://#{ENV['HOST']}" : "http://localhost:3000"
       @webauthn_rp_name = Rails.application.class.to_s.deconstantize
+      @session_timeout = 2.weeks
 
       @insert_cookie_domain = false
     end
@@ -55,5 +59,9 @@ module ActionAuth
       @pwned_enabled.respond_to?(:call) ? @pwned_enabled.call : @pwned_enabled
     end
 
+    def password_complexity_check?
+      @password_complexity_check == true
+    end
+
   end
 end

data/lib/action_auth/controllers/helpers.rb

@@ -5,6 +5,7 @@ module ActionAuth
 
       included do
         before_action :set_current_request_details
+        before_action :check_session_timeout
 
         def current_user; Current.user; end
         helper_method :current_user
@@ -28,6 +29,33 @@ module ActionAuth
         Current.session = Session.find_by(id: cookies.signed[:session_token])
         Current.user_agent = request.user_agent
         Current.ip_address = request.ip
+
+        # Check if IP address or user agent has changed
+        if Current.session && (Current.session.ip_address != Current.ip_address ||
+                              Current.session.user_agent != Current.user_agent)
+          Rails.logger.warn "Session environment changed for user #{Current.user&.id}: IP or User-Agent mismatch"
+          # Optional: Force re-authentication for suspicious activity
+          # cookies.delete(:session_token, secure: Rails.env.production?, same_site: :lax)
+          # Current.session = nil
+        end
+      end
+
+      def check_session_timeout
+        return unless Current.session
+        return if Rails.env.test?
+
+        timeout = ActionAuth.configuration.session_timeout
+        if Current.session.updated_at < timeout.ago
+          Rails.logger.info "Session timed out for user #{Current.user&.id}"
+          Current.session.destroy
+          cookie_options = {}
+          cookie_options[:secure] = Rails.env.production? if Rails.env.production?
+          cookie_options[:same_site] = :lax unless Rails.env.test?
+          cookies.delete(:session_token, cookie_options)
+          redirect_to new_user_session_path, alert: "Your session has expired. Please sign in again."
+        else
+          Current.session.touch
+        end
       end
     end
   end

data/lib/action_auth/version.rb

@@ -1,3 +1,3 @@
 module ActionAuth
-  VERSION = "1.7.2"
+  VERSION = "1.8.0"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: action_auth
 version: !ruby/object:Gem::Version
-  version: 1.7.2
+  version: 1.8.0
 platform: ruby
 authors:
 - Dave Kimura
 bindir: bin
 cert_chain: []
-date: 2025-01-17 00:00:00.000000000 Z
+date: 2025-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -131,7 +131,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.6
 specification_version: 4
 summary: A simple Rails engine for authorization.
 test_files: []