aikotoba 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b0d639e691f230c3bcb02686f18ecef8dab6a4fecf9310121c8e581a4079ab62
+  data.tar.gz: 169419bd1301489504a2d1049ee9f1c939432b95b0b6eea33df195b43bee0c6d
+SHA512:
+  metadata.gz: 3bae2cfbf6a1ccacc972abf66057b83b85261ac642800a563ea81b416d83f19f154049d5c9ccc8af0fa6d49c31eec38a0a19cdf3e9ffcd1920e556f02941d0f4
+  data.tar.gz: 347e3fbde3a2af2a02828faabebd94ca67adfe1c71e97f93c7c42e1ab2d83ee6bdee3df30ad5af7d760509f0d41b1f82fedbe9981423c2bec52fbc8ffa9122aa

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2021 Madogiwa
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,334 @@
+[![CI](https://github.com/madogiwa0124/aikotoba/actions/workflows/ci.yml/badge.svg)](https://github.com/madogiwa0124/aikotoba/actions/workflows/ci.yml)
+
+# Aikotoba
+
+Aikotoba meaning password in Japanese.
+
+Aikotoba is a Rails engine that makes it easy to implement simple email and password authentication.
+
+**Motivation**
+
+- Simple implementation using the Rails engine.
+- Modern hashing algorithm.
+- Separate the authentication logic from User.
+- Implementation for multiple DB.
+- Encrypting tokens using Active Record Encryption.
+
+**Features**
+
+- Authenticatable : Authenticate account using email and password.
+- Registrable(optional) : Register an account using your email address and password.
+- Confirmable(optional) : After registration, send an email with a token to confirm account.
+- Lockable(optional) : Lock account if make a mistake with password more than a certain number of times.
+- Recoverable(optional) : Recover account by resetting password.
+
+[For more information](#features)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'aikotoba'
+```
+
+## Usage
+
+### Getting Start
+
+Aikotoba use `Aikotoba::Account` for authentication. Add it to the migration for `Aikotoba::Account`.
+
+```sh
+$ bin/rails aikotoba:install:migrations
+```
+
+Mount `Aikotoba::Engine` your application.
+
+```ruby
+Rails.application.routes.draw do
+  mount Aikotoba::Engine => "/"
+end
+```
+
+Aikotoba enabled routes for registration(`/sign_up`) and authentication(`/sign_in`).
+
+include `Aikotoba::Authenticatable` to the controller(ex. `ApplicationController`) use authentication.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Aikotoba::Authenticatable
+
+  # NOTE: You can implement the get authenticated account process as follows.
+  alias_method :current_account, :aikotoba_current_account
+  helper_method :current_account
+
+  # NOTE: You can implement the authorization process as follows
+  def authenticate_account!
+    return if current_account
+    redirect_to aikotoba.new_session_path, flash: {alert: "Oops. You need to Signed up or Signed in." }
+  end
+end
+```
+
+## Features
+
+### Authenticatable
+
+Authenticate an account using email and password.
+
+| HTTP Verb | Path      | Overview                                  |
+| --------- | --------- | ----------------------------------------- |
+| GET       | /sign_in  | Display sign in page.                     |
+| POST      | /sign_in  | Create a login session by authenticating. |
+| DELETE    | /sign_out | Clear aikotoba login session.             |
+
+Aikotoba enable helper methods for authentication. The method name can be changed by `alias_method`.
+
+- `aikotoba_current_account` : Returns the logged in instance of `Aikotoba::Account`.
+
+### Registrable
+
+To enable it, set `Aikotoba.registerable` to `true`. (It is enabled by default.)
+
+```ruby
+Aikotoba.registerable = true
+```
+
+Register an account using email and password.
+
+| HTTP Verb | Path     | Overview              |
+| --------- | -------- | --------------------- |
+| GET       | /sign_up | Display sign up page. |
+| POST      | /sign_up | Create an account.    |
+
+The password is stored as a hash in [Argon2](https://github.com/technion/ruby-argon2).
+
+### Confirmable
+
+To enable it, set `Aikotoba.confirmable` to `true`.
+
+```ruby
+Aikotoba.confirmable = true
+```
+
+Aikotoba enable routes for confirmation account. Also, when account registers, a confirmation email is sent to the email address. Only accounts that are confirmed will be authenticated.
+
+| HTTP Verb | Path            | Overview                               |
+| --------- | --------------- | -------------------------------------- |
+| GET       | /confirm        | Display page for create confirm token. |
+| POST      | /confirm        | Create a confirm token to account.     |
+| GET       | /confirm/:token | Confirm account by token.              |
+
+### Lockable
+
+To enable it, set `Aikotoba.lockable` to `true`.
+
+```ruby
+Aikotoba.lockable = true
+```
+
+Aikotoba enables a route to unlock an account. Also, if the authentication fails a certain number of times, the account will be locked. Only accounts that are not locked will be authenticated.
+
+| HTTP Verb | Path           | Overview                              |
+| --------- | -------------- | ------------------------------------- |
+| GET       | /unlock        | Display page for create unlock token. |
+| POST      | /unlock        | Create a unlock token to account.     |
+| GET       | /unlock/:token | Unlock account by token.              |
+
+### Recoverable
+
+To enable it, set `Aikotoba.recoverable` to `true`.
+
+```ruby
+Aikotoba.recoverable = true
+```
+
+Aikotoba enables a route to recover an account by password reset.
+
+| HTTP Verb | Path            | Overview                                            |
+| --------- | --------------- | --------------------------------------------------- |
+| GET       | /recover        | Display page for create recover token.              |
+| POST      | /recover        | Create a recover token to account.                  |
+| GET       | /recover/:token | Display page for recover account by password reset. |
+| PATCH     | /recover/:token | Recover account by password reset.                  |
+
+## Configuration
+
+The following configuration parameters are supported. You can override it. (ex. `initializers/aikotoba.rb`)
+
+```ruby
+require 'aikotoba'
+
+Aikotoba.parent_controller = "ApplicationController"
+Aikotoba.parent_mailer = "ActionMailer::Base"
+Aikotoba.mailer_sender = "from@example.com"
+Aikotoba.email_format = /\A[^\s]+@[^\s]+\z/
+Aikotoba.prevent_timing_atack = true
+Aikotoba.password_pepper = "aikotoba-default-pepper"
+Aikotoba.password_length_range = 8..100
+Aikotoba.sign_in_path = "/sign_in"
+Aikotoba.sign_out_path = "/sign_out"
+Aikotoba.after_sign_in_path = "/"
+Aikotoba.after_sign_out_path = "/sign_in"
+
+# for registerable
+Aikotoba.registerable = true
+Aikotoba.sign_up_path = "/sign_up"
+
+# for confirmable
+Aikotoba.confirmable = false
+Aikotoba.confirm_path = "/confirm"
+Aikotoba.confirmation_token_expiry = 1.day
+
+# for lockable
+Aikotoba.lockable = false
+Aikotoba.unlock_path = "/unlock"
+Aikotoba.max_failed_attempts = 10
+Aikotoba.unlock_token_expiry = 1.day
+
+# for Recoverable
+Aikotoba.recoverable = false
+Aikotoba.recover_path = "/recover"
+Aikotoba.recovery_token_expiry = 4.hours
+```
+
+## Tips
+
+### Customize Message
+
+All Messages are managed by `i18n` and can be freely overridden.
+
+### Manually create an `Aikotoba::Account` for authentication.
+
+By running the following script, you can hash and store passwords.
+
+```ruby
+Aikotoba::Account.create!(email: "sample@example.com", password: "password")
+Aikotoba::Account.authenticate_by(attributes: {email: "sample@example.com", password: "password"})
+# => created account instance.
+```
+
+### Create other model with `Aikotoba::Account`.
+
+You can override `Aikotoba::AccountsController#after_create_account_process` to create the other models together.
+
+```ruby
+require 'aikotoba'
+
+Rails.application.config.to_prepare do
+  Aikotoba::AccountsController.class_eval do
+    def after_create_account_process
+      profile = Profile.new(nickname: "foo")
+      profile.save!
+      @account.update!(authenticate_target: profile)
+    end
+  end
+end
+
+class Profile < ApplicationRecord
+  has_one :account, class_name: 'Aikotoba::Account'
+end
+
+current_account.profile #=> Profile instance
+profile.account #=> Aikotoba::Account instance
+```
+
+### Do something on before, after, failure.
+
+Controllers provides methods to execute the overridden process.
+
+For example, if you want to record an error log when the account creation fails, you can do the following.
+
+```ruby
+require 'aikotoba'
+
+Rails.application.config.to_prepare do
+  Aikotoba::AccountsController.class_eval do
+    def failed_create_account_process(e)
+      logger.error(e)
+    end
+  end
+end
+```
+
+### Using encrypted token
+
+Tokens can be encrypted using Active Record Encryption, introduced in Active Record 7 and later.
+To use it, enable Aikotoba.encipted_token in the initializer.
+
+```ruby
+Aikotoba.encypted_token = true
+```
+
+### How to identify the controller provided.
+
+The controller provided by Aikotoba is designed to inherit from `Aikotoba::ApplicationController`.
+
+Therefore, when implementing authorization based on login status, you can disable only the controllers provided by Aikotoba as follows.
+
+```ruby
+class ApplicationController < ApplicationController
+  include Aikotoba::Authenticatable
+
+  alias_method :current_account, :aikotoba_current_account
+
+  before_action :authenticate_account!, unless: :aikotoba_controller?
+
+  def authenticate_account!
+    return if current_account
+    redirect_to aikotoba.new_session_path, flash: {alert: "Oops. You need to Signed up or Signed in." }
+  end
+
+  private
+
+  def aikotoba_controller?
+    is_a?(::Aikotoba::ApplicationController)
+  end
+end
+```
+
+### Testing
+
+You can use a helper to login/logout by Aikotoba.
+:warning: It only supports rack testing.
+
+```ruby
+require "aikotoba/test/authentication_helper"
+require "test_helper"
+
+class HelperTest < ActionDispatch::SystemTestCase
+  include Aikotoba::Test::AuthenticationHelper::System
+  driven_by :rack_test
+
+  def setup
+    email, password = ["email@example.com", "password"]
+    @account = ::Aikotoba::Account.build_by(attributes: {email: email, password: password})
+    @account.save
+  end
+
+  test "sign_in by helper" do
+    aikotoba_sign_in(@account)
+    visit "/sensitives"
+    assert_selector "h1", text: "Sensitive Page"
+    click_on "Sign out"
+    assert_selector ".message", text: "Signed out."
+  end
+
+  test "sign_out by helper" do
+    aikotoba_sign_in(@account)
+    visit "/sensitives"
+    aikotoba_sign_out
+    visit "/sensitives"
+    assert_selector "h1", text: "Sign in"
+    assert_selector ".message", text: "Oops. You need to Signed up or Signed in."
+  end
+end
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,18 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/aikotoba/accounts_controller.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class AccountsController < ApplicationController
+    def new
+      @account = build_account({email: "", password: ""})
+    end
+
+    def create
+      @account = build_account(accounts_params.to_h.symbolize_keys)
+      ActiveRecord::Base.transaction do
+        before_create_account_process
+        save_with_callbacks!(@account)
+        after_create_account_process
+      end
+      redirect_to after_sign_up_path, flash: {notice: successed_message}
+    rescue ActiveRecord::RecordInvalid => e
+      failed_create_account_process(e)
+      flash[:alert] = failed_message
+      render :new, status: :unprocessable_entity
+    end
+
+    private
+
+    def accounts_params
+      params.require(:account).permit(:email, :password)
+    end
+
+    def build_account(params)
+      Account.build_by(attributes: params)
+    end
+
+    def save_with_callbacks!(account)
+      Account::Service::Registration.call!(account: account)
+    end
+
+    def after_sign_up_path
+      aikotoba.new_session_path
+    end
+
+    def successed_message
+      I18n.t(".aikotoba.messages.registration.success")
+    end
+
+    def failed_message
+      I18n.t(".aikotoba.messages.registration.failed")
+    end
+
+    # NOTE: Methods to override if you want to do something before account creation.
+    def before_create_account_process
+    end
+
+    # NOTE: Methods to override if you want to do something after account creation.
+    def after_create_account_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed account creation.
+    def failed_create_account_process(e)
+    end
+  end
+end

data/app/controllers/aikotoba/application_controller.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class ApplicationController < Aikotoba.parent_controller.constantize
+    include EnabledFeatureCheckable
+
+    helper_method :confirmable?, :lockable?, :recoverable?, :registerable?
+
+    def aikotoba_controller?
+      true
+    end
+  end
+end

data/app/controllers/aikotoba/confirms_controller.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class ConfirmsController < ApplicationController
+    include Protection::TimingAtack
+
+    before_action :prevent_timing_atack, only: [:update]
+
+    def new
+      @account = build_account({email: "", password: ""})
+    end
+
+    def create
+      account = find_by_send_token_account!(confirm_accounts_params)
+      before_send_confirmation_token_process
+      send_token_account!(account)
+      after_send_confirmation_token_process
+      redirect_to success_send_confirmation_token_path, flash: {notice: success_send_confirmation_token_message}
+    rescue ActiveRecord::RecordNotFound => e
+      failed_send_confirmation_token_process(e)
+      @account = build_account({email: "", password: ""})
+      flash[:alert] = failed_send_confirmation_token_message
+      render :new, status: :unprocessable_entity
+    end
+
+    def update
+      account = find_by_has_token_account!(params)
+      before_confirm_process
+      confirm_account!(account)
+      after_confirm_process
+      redirect_to after_confirmed_path, flash: {notice: confirmed_message}
+    end
+
+    private
+
+    def confirm_accounts_params
+      params.require(:account).permit(:email)
+    end
+
+    def build_account(params)
+      Account.build_by(attributes: params)
+    end
+
+    def find_by_send_token_account!(params)
+      Account.unconfirmed.find_by!(email: params[:email])
+    end
+
+    def send_token_account!(account)
+      Account::Service::Confirmation.create_token!(account: account, notify: true)
+    end
+
+    def find_by_has_token_account!(params)
+      Account::ConfirmationToken.active.find_by!(token: params[:token]).account
+    end
+
+    def confirm_account!(account)
+      # NOTE: Confirmation is done using URL tokens, so it is done in the writing role.
+      ActiveRecord::Base.connected_to(role: :writing) do
+        Account::Service::Confirmation.confirm!(account: account)
+      end
+    end
+
+    def after_confirmed_path
+      aikotoba.new_session_path
+    end
+
+    def success_send_confirmation_token_path
+      aikotoba.new_session_path
+    end
+
+    def confirmed_message
+      I18n.t(".aikotoba.messages.confirmation.success")
+    end
+
+    def success_send_confirmation_token_message
+      I18n.t(".aikotoba.messages.confirmation.sent")
+    end
+
+    def failed_send_confirmation_token_message
+      I18n.t(".aikotoba.messages.confirmation.failed")
+    end
+
+    # NOTE: Methods to override if you want to do something before send confirm token.
+    def before_send_confirmation_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something after send confirm token.
+    def after_send_confirmation_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed send confirm token.
+    def failed_send_confirmation_token_process(e)
+    end
+
+    # NOTE: Methods to override if you want to do something before confirm.
+    def before_confirm_process
+    end
+
+    # NOTE: Methods to override if you want to do something after confirm.
+    def after_confirm_process
+    end
+  end
+end

data/app/controllers/aikotoba/recoveries_controller.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class RecoveriesController < ApplicationController
+    include Protection::TimingAtack
+
+    before_action :prevent_timing_atack, only: [:edit, :update]
+
+    def new
+      @account = build_account({email: "", password: ""})
+    end
+
+    def create
+      account = find_by_send_token_account!(send_recovery_token_params)
+      before_send_recovery_token_process
+      send_recovery_token!(account)
+      after_send_recovery_token_process
+      redirect_to success_send_recovery_token_path, flash: {notice: success_send_recovery_token_message}
+    rescue ActiveRecord::RecordNotFound => e
+      failed_send_recovery_token_process(e)
+      @account = build_account({email: "", password: ""})
+      flash[:alert] = failed_send_recovery_token_message
+      render :new, status: :unprocessable_entity
+    end
+
+    def edit
+      @account = find_by_has_token_account!(params)
+    end
+
+    def update
+      @account = find_by_has_token_account!(params)
+      before_recover_process
+      recover_account!(@account, recover_accounts_params[:password])
+      after_recover_process
+      redirect_to success_recovered_path, flash: {notice: success_recovered_message}
+    rescue ActiveRecord::RecordInvalid => e
+      failed_recover_process(e)
+      flash[:alert] = failed_message
+      render :edit, status: :unprocessable_entity
+    end
+
+    private
+
+    def send_recovery_token_params
+      params.require(:account).permit(:email)
+    end
+
+    def recover_accounts_params
+      params.require(:account).permit(:password)
+    end
+
+    def build_account(params)
+      Account.build_by(attributes: params)
+    end
+
+    def find_by_send_token_account!(params)
+      Account.find_by!(email: params[:email])
+    end
+
+    def find_by_has_token_account!(params)
+      Account::RecoveryToken.active.find_by!(token: params[:token]).account
+    end
+
+    def send_recovery_token!(account)
+      Account::Service::Recovery.create_token!(account: account, notify: true)
+    end
+
+    def recover_account!(account, new_password)
+      Account::Service::Recovery.recover!(account: account, new_password: new_password)
+    end
+
+    def success_recovered_path
+      aikotoba.new_session_path
+    end
+
+    def success_send_recovery_token_path
+      aikotoba.new_session_path
+    end
+
+    def failed_message
+      I18n.t(".aikotoba.messages.recovery.failed")
+    end
+
+    def success_recovered_message
+      I18n.t(".aikotoba.messages.recovery.success")
+    end
+
+    def success_send_recovery_token_message
+      I18n.t(".aikotoba.messages.recovery.sent")
+    end
+
+    def failed_send_recovery_token_message
+      I18n.t(".aikotoba.messages.recovery.sent_failed")
+    end
+
+    # NOTE: Methods to override if you want to do something before send recover token.
+    def before_send_recovery_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something after send recover token.
+    def after_send_recovery_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed send recover token.
+    def failed_send_recovery_token_process(e)
+    end
+
+    # NOTE: Methods to override if you want to do something before recover.
+    def before_recover_process
+    end
+
+    # NOTE: Methods to override if you want to do something after recover.
+    def after_recover_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed recover.
+    def failed_recover_process(e)
+    end
+  end
+end