aikotoba 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 173aca2780a3086a9276f56c4bd59a1c4aedb6aa2a8f2d3e29068f00e8a5f417
-  data.tar.gz: d96bea3b841912e7586c07a984e58c6b0daea49109a3b73bc3cc90090cf7434f
+  metadata.gz: a8e76b0ed9268bcddffdb90924b637de6f65effe09b3da217dde7c26bbe97127
+  data.tar.gz: 363e1aea2df7ba058d4cde72c17cfe78bb51bbdc52d91f14ccd8594304d938b0
 SHA512:
-  metadata.gz: 050d2f984527212f1a0426fd830c0b0ae1dfff51ea3e75fda1a5596cc702175996f70c3bbf1ca9acf6b21ea2099863ee5dfa705654db8ad338053ce384aeb635
-  data.tar.gz: 7efcedd94cb09d06f9d846d6d43931ded9eb243dd7625f5a6ab74a41682082ca2d2b4c00feb27a1c282006ab04e44b70086d7024554ac4fe7e73cae273369f93
+  metadata.gz: 1ddf99bfd428b5bf537f36933413809fac6451eef82fb7becc62830fa38c3c478f9008269c8b83969d3974c5c7ae9a7041199dd8739ac1c604050ef424decc2e
+  data.tar.gz: cdbcd7e23e21a87bdd36ede42d74f0c446ecc8da75c1a48bac54e54a42ca00179e9cc7d9fde945f990200673d638ee7c5084d374379ab019be4666a80f6d867d

data/README.md

@@ -1,4 +1,5 @@
 [![CI](https://github.com/madogiwa0124/aikotoba/actions/workflows/ci.yml/badge.svg)](https://github.com/madogiwa0124/aikotoba/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/aikotoba.svg)](https://badge.fury.io/rb/aikotoba)
 
 # Aikotoba
 
@@ -152,6 +153,76 @@ Aikotoba enables a route to recover an account by password reset.
 | GET       | /recover/:token | Display page for recover account by password reset. |
 | PATCH     | /recover/:token | Recover account by password reset.                  |
 
+### Rate Limiting (Rails 8+ only)
+
+Aikotoba provides built-in rate limiting for email-sending endpoints to prevent email bombing attacks. This feature requires **Rails 8.0 or later**.
+
+Rate limiting is available for:
+
+- **Confirmation token requests** (`/confirm` POST endpoint)
+- **Unlock token requests** (`/unlock` POST endpoint)
+- **Password recovery token requests** (`/recover` POST endpoint)
+
+By default, rate limiting is disabled (empty configuration). To enable it, configure the respective options:
+
+```ruby
+Aikotoba.confirmation_rate_limit_options = {
+  to: 10,
+  within: 1.hour,
+  by: -> { request.params.dig(:account, :email).presence || request.remote_ip },
+  only: :create
+}
+```
+
+When rate limiting is triggered, requests that exceed the limit will receive a 429 (Too Many Requests) response.
+
+For detailed configuration examples and options, see the [Configuration](#configuration) section below.
+
+### Multiple Scopes
+
+Aikotoba supports multiple scopes.
+
+You can add a scope by `Aikotoba.add_scope` method. For example, the following code adds an `admin` scope. Unspecified values will be copied from the `default` scope.
+
+```ruby
+Aikotoba.add_scope(:admin, {
+  session_key: "aikotoba_admin_session_token",
+  root_path: "/admin",
+  sign_in_path: "/admin/sign_in",
+  sign_up_path: "/admin/sign_up",
+  after_sign_in_path: "/admin/sensitives",
+  after_sign_out_path: "/admin/sign_in",
+  sign_out_path: "/admin/sign_out",
+  confirm_path: "/admin/confirm",
+  unlock_path: "/admin/unlock",
+  recover_path: "/admin/recover"
+})
+```
+
+As shown below, you can perform separate authentication with `/sign_in` and `/admin/sign_in`.
+
+```sh
+$ bin/rails routes
+Routes for Aikotoba::Engine:
+                         Prefix Verb   URI Pattern                     Controller#Action
+                    new_session GET    /sign_in(.:format)              aikotoba/sessions#new
+              admin_new_session GET    /admin/sign_in(.:format)        aikotoba/sessions#new
+```
+
+The scope is determined dynamically by the root path. For example, when accessing `/admin/sign_in`, the `admin` scope is selected.
+
+To automatically switch scopes and get paths, use the `Aikotoba::Scopable#aikotoba_scoped_path` helper method.
+
+```ruby
+include Aikotoba::Scopable
+
+helper_method :aikotoba_scoped_path
+
+aikotoba_scoped_path(:new_session)
+#=> "/sign_in" (if current scope is :default)
+#=> "/admin/sign_in" (if current scope is :admin)
+```
+
 ## Configuration
 
 The following configuration parameters are supported. You can override it. (ex. `initializers/aikotoba.rb`)
@@ -159,37 +230,177 @@ The following configuration parameters are supported. You can override it. (ex.
 ```ruby
 require 'aikotoba'
 
+# ============================================
+# Global settings
+# ============================================
+
 Aikotoba.parent_controller = "ApplicationController"
 Aikotoba.parent_mailer = "ActionMailer::Base"
 Aikotoba.mailer_sender = "from@example.com"
 Aikotoba.email_format = /\A[^\s]+@[^\s]+\z/
-Aikotoba.prevent_timing_atack = true
 Aikotoba.password_pepper = "aikotoba-default-pepper"
 Aikotoba.password_length_range = 8..100
-Aikotoba.sign_in_path = "/sign_in"
-Aikotoba.sign_out_path = "/sign_out"
-Aikotoba.after_sign_in_path = "/"
-Aikotoba.after_sign_out_path = "/sign_in"
+Aikotoba.session_expiry = 7.days
+
 
 # for registerable
 Aikotoba.registerable = true
-Aikotoba.sign_up_path = "/sign_up"
 
 # for confirmable
 Aikotoba.confirmable = false
-Aikotoba.confirm_path = "/confirm"
 Aikotoba.confirmation_token_expiry = 1.day
 
 # for lockable
 Aikotoba.lockable = false
-Aikotoba.unlock_path = "/unlock"
 Aikotoba.max_failed_attempts = 10
 Aikotoba.unlock_token_expiry = 1.day
 
 # for Recoverable
 Aikotoba.recoverable = false
-Aikotoba.recover_path = "/recover"
 Aikotoba.recovery_token_expiry = 4.hours
+
+# ============================================
+# Rate Limiting (Rails 8+ required)
+# ============================================
+# Rate limiting protects email-sending endpoints (confirm, unlock, recover) from email bombing attacks.
+# Default (empty hash): no rate limiting
+
+# Requires Rails 8.0+ to use the built-in rate_limit feature.
+#
+# Configuration format: { to: <max_requests>, within: <time_duration>, by: <identifier_proc>, only: <action> }
+#
+# SECURITY RECOMMENDATION:
+# Use .dig() with fallback to prevent nil errors and ensure rate limiting always works:
+#   by: -> { request.params.dig(:account, :email).presence || request.remote_ip }
+#
+# This ensures:
+# - Invalid or missing email params don't bypass rate limiting
+# - Fallback to IP address when email is not provided
+# - Protection against email enumeration attacks
+#
+# Examples:
+
+# Limit confirmation token requests to 10 per hour, per email address (with IP fallback)
+Aikotoba.confirmation_rate_limit_options = {
+  to: 10,
+  within: 1.hour,
+  by: -> { request.params.dig(:account, :email).presence || request.remote_ip },
+  only: :create
+}
+
+# Limit unlock token requests to 5 per hour, per email address (stricter for security)
+Aikotoba.unlock_rate_limit_options = {
+  to: 5,
+  within: 1.hour,
+  by: -> { request.params.dig(:account, :email).presence || request.remote_ip },
+  only: :create
+}
+
+# Limit recovery token requests to 3 per hour, per email address (most strict for password recovery)
+Aikotoba.recovery_rate_limit_options = {
+  to: 3,
+  within: 1.hour,
+  by: -> { request.params.dig(:account, :email).presence || request.remote_ip },
+  only: :create
+}
+
+# Rate limiting by IP address only (simpler, but less precise)
+# Aikotoba.confirmation_rate_limit_options = {
+#   to: 20,
+#   within: 1.hour,
+#   by: -> { request.remote_ip },
+#   only: :create
+# }
+
+# ============================================
+# Scope settings
+# ============================================
+
+# for Default Scope
+# You can override only the necessary keys.
+Aikotoba.default_scope = {
+  authenticate_for: nil,  # No restriction for default scope
+  session_key: "aikotoba_session_token",
+  root_path: "/",
+  sign_in_path: "/sign_in",
+  sign_out_path: "/sign_out",
+  sign_up_path: "/sign_up",
+  confirm_path: "/confirm",
+  unlock_path: "/unlock",
+  recover_path: "/recover",
+  after_sign_in_path: "/sensitives",
+  after_sign_out_path: "/sign_in"
+}
+
+# for Additional Scopes
+Aikotoba.add_scope(:admin, {
+  authenticate_for: "Admin",  # Restrict authentication to Admin accounts
+  session_key: "aikotoba_admin_session_token",
+  root_path: "/admin",
+  sign_in_path: "/admin/sign_in",
+  sign_out_path: "/admin/sign_out",
+  sign_up_path: "/admin/sign_up",
+  confirm_path: "/admin/confirm",
+  unlock_path: "/admin/unlock",
+  recover_path: "/admin/recover",
+  after_sign_in_path: "/admin/sensitives",
+  after_sign_out_path: "/admin/sign_in"
+})
+```
+
+### Scope Configuration Details
+
+`Aikotoba.default_scope=` **merges** the provided hash into the existing default scope (does not replace):
+
+```ruby
+# Single key update
+Aikotoba.default_scope[:sign_in_path] = "/custom"
+
+# Multiple keys update (recommended for bulk changes)
+Aikotoba.default_scope = {
+  sign_in_path: "/custom_sign_in",
+  after_sign_in_path: "/dashboard"
+}
+# Other keys (root_path, session_key, etc.) remain unchanged
+```
+
+Both approaches are valid. Use direct key assignment for single changes, or use `default_scope=` for updating multiple keys at once.
+
+#### Filtering by authenticate target type
+
+You can restrict authentication to specific target types by setting `authenticate_for`:
+
+```ruby
+Aikotoba.add_scope(:admin, {
+  authenticate_for: "Admin",  # Only Admin accounts can sign in to this scope
+  root_path: "/admin",
+  sign_in_path: "/admin/sign_in",
+  # ...
+})
+```
+
+When `authenticate_for` is set, only accounts with matching `authenticate_target_type` will authenticate successfully in that scope.
+This is useful for separating authentication between different user types (e.g., Admin vs User).
+
+**Note:** The account type is determined by the model associated via `authenticate_target`. Set up your associations in `after_create_account_process`:
+
+```ruby
+Rails.application.config.to_prepare do
+  Aikotoba::AccountsController.class_eval do
+    def after_create_account_process
+      if aikotoba_scope.admin?
+        admin = Admin.new(nickname: "admin_foo")
+        @account.authenticate_target = admin
+        admin.save!
+      else
+        user = User.new(nickname: "foo")
+        @account.authenticate_target = user
+        user.save!
+      end
+      @account.save!
+    end
+  end
+end
 ```
 
 ## Tips
@@ -218,9 +429,17 @@ require 'aikotoba'
 Rails.application.config.to_prepare do
   Aikotoba::AccountsController.class_eval do
     def after_create_account_process
-      profile = Profile.new(nickname: "foo")
-      profile.save!
-      @account.update!(authenticate_target: profile)
+      # You can get the scope name by `aikotoba_scope` method.
+      if aikotoba_scope.admin?
+        admin = Admin.new(nickname: "admin_foo")
+        @account.authenticate_target = admin
+        admin.save!
+      else
+        user = User.new(nickname: "foo")
+        @account.authenticate_target = user
+        user.save!
+      end
+      @account.save!
     end
   end
 end
@@ -229,8 +448,20 @@ class Profile < ApplicationRecord
   has_one :account, class_name: 'Aikotoba::Account', as: :authenticate_target
 end
 
+class Admin < ApplicationRecord
+  has_one :account, class_name: 'Aikotoba::Account', as: :authenticate_target
+end
+```
+
+Then, you can get the associated model from `Aikotoba::Account` instance.
+
+```ruby
+
 current_account.profile #=> Profile instance
 profile.account #=> Aikotoba::Account instance
+
+current_account.admin #=> Admin instance
+admin.account #=> Aikotoba::Account instance
 ```
 
 ### Do something on before, after, failure.
@@ -257,7 +488,7 @@ Tokens can be encrypted using Active Record Encryption, introduced in Active Rec
 To use it, enable Aikotoba.encipted_token in the initializer.
 
 ```ruby
-Aikotoba.encypted_token = true
+Aikotoba.encrypted_token = true
 ```
 
 ### How to identify the controller provided.

data/Rakefile

@@ -3,8 +3,6 @@ require "bundler/setup"
 APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
 load "rails/tasks/engine.rake"
 
-load "rails/tasks/statistics.rake"
-
 require "bundler/gem_tasks"
 
 require "rake/testtask"

data/app/controllers/aikotoba/accounts_controller.rb

@@ -31,11 +31,11 @@ module Aikotoba
     end
 
     def save_with_callbacks!(account)
-      Account::Service::Registration.call!(account: account)
+      account.register!
     end
 
     def after_sign_up_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def successed_message

data/app/controllers/aikotoba/application_controller.rb

@@ -3,8 +3,9 @@
 module Aikotoba
   class ApplicationController < Aikotoba.parent_controller.constantize
     include EnabledFeatureCheckable
+    include Scopable
 
-    helper_method :confirmable?, :lockable?, :recoverable?, :registerable?
+    helper_method :confirmable?, :lockable?, :recoverable?, :registerable?, :aikotoba_scoped_path, :aikotoba_scoped_path, :aikotoba_scope
 
     def aikotoba_controller?
       true

data/app/controllers/aikotoba/confirms_controller.rb

@@ -2,9 +2,14 @@
 
 module Aikotoba
   class ConfirmsController < ApplicationController
-    include Protection::TimingAtack
+    include Protection::RateLimiting
 
-    before_action :prevent_timing_atack, only: [:update]
+    def self.confirmation_rate_limit_options
+      Aikotoba.confirmation_rate_limit_options
+    end
+    private_class_method :confirmation_rate_limit_options
+
+    rate_limit(**confirmation_rate_limit_options)
 
     def new
       @account = build_account({email: "", password: ""})
@@ -15,12 +20,11 @@ module Aikotoba
       before_send_confirmation_token_process
       send_token_account!(account)
       after_send_confirmation_token_process
-      redirect_to success_send_confirmation_token_path, flash: {notice: success_send_confirmation_token_message}
     rescue ActiveRecord::RecordNotFound => e
       failed_send_confirmation_token_process(e)
-      @account = build_account({email: "", password: ""})
-      flash[:alert] = failed_send_confirmation_token_message
-      render :new, status: :unprocessable_entity
+    ensure
+      # NOTE: Always show success message to avoid account enumeration.
+      redirect_to success_send_confirmation_token_path, flash: {notice: success_send_confirmation_token_message}
     end
 
     def update
@@ -46,7 +50,7 @@ module Aikotoba
     end
 
     def send_token_account!(account)
-      Account::Service::Confirmation.create_token!(account: account, notify: true)
+      Account::Confirmation.create_token!(account: account, notify: true)
     end
 
     def find_by_has_token_account!(params)
@@ -56,16 +60,16 @@ module Aikotoba
     def confirm_account!(account)
       # NOTE: Confirmation is done using URL tokens, so it is done in the writing role.
       ActiveRecord::Base.connected_to(role: :writing) do
-        Account::Service::Confirmation.confirm!(account: account)
+        Account::Confirmation.confirm!(account: account)
       end
     end
 
     def after_confirmed_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def success_send_confirmation_token_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def confirmed_message
@@ -76,10 +80,6 @@ module Aikotoba
       I18n.t(".aikotoba.messages.confirmation.sent")
     end
 
-    def failed_send_confirmation_token_message
-      I18n.t(".aikotoba.messages.confirmation.failed")
-    end
-
     # NOTE: Methods to override if you want to do something before send confirm token.
     def before_send_confirmation_token_process
     end

data/app/controllers/aikotoba/recoveries_controller.rb

@@ -2,9 +2,14 @@
 
 module Aikotoba
   class RecoveriesController < ApplicationController
-    include Protection::TimingAtack
+    include Protection::RateLimiting
 
-    before_action :prevent_timing_atack, only: [:edit, :update]
+    def self.recovery_rate_limit_options
+      Aikotoba.recovery_rate_limit_options
+    end
+    private_class_method :recovery_rate_limit_options
+
+    rate_limit(**recovery_rate_limit_options)
 
     def new
       @account = build_account({email: "", password: ""})
@@ -15,12 +20,11 @@ module Aikotoba
       before_send_recovery_token_process
       send_recovery_token!(account)
       after_send_recovery_token_process
-      redirect_to success_send_recovery_token_path, flash: {notice: success_send_recovery_token_message}
     rescue ActiveRecord::RecordNotFound => e
       failed_send_recovery_token_process(e)
-      @account = build_account({email: "", password: ""})
-      flash[:alert] = failed_send_recovery_token_message
-      render :new, status: :unprocessable_entity
+    ensure
+      # NOTE: Always show success message to avoid account enumeration.
+      redirect_to success_send_recovery_token_path, flash: {notice: success_send_recovery_token_message}
     end
 
     def edit
@@ -62,19 +66,19 @@ module Aikotoba
     end
 
     def send_recovery_token!(account)
-      Account::Service::Recovery.create_token!(account: account, notify: true)
+      Account::Recovery.create_token!(account: account, notify: true)
     end
 
     def recover_account!(account, new_password)
-      Account::Service::Recovery.recover!(account: account, new_password: new_password)
+      Account::Recovery.recover!(account: account, new_password: new_password)
     end
 
     def success_recovered_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def success_send_recovery_token_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def failed_message
@@ -89,10 +93,6 @@ module Aikotoba
       I18n.t(".aikotoba.messages.recovery.sent")
     end
 
-    def failed_send_recovery_token_message
-      I18n.t(".aikotoba.messages.recovery.sent_failed")
-    end
-
     # NOTE: Methods to override if you want to do something before send recover token.
     def before_send_recovery_token_process
     end

data/app/controllers/aikotoba/sessions_controller.rb

@@ -40,15 +40,15 @@ module Aikotoba
     end
 
     def authenticate_account(params)
-      Account.authenticate_by(attributes: params)
+      Account.authenticate_by(attributes: params, target_type_name: aikotoba_authenticate_target)
     end
 
     def after_sign_in_path
-      Aikotoba.after_sign_in_path
+      aikotoba_scope_config[:after_sign_in_path]
     end
 
     def after_sign_out_path
-      Aikotoba.after_sign_out_path
+      aikotoba_scope_config[:after_sign_out_path]
     end
 
     def successed_message

data/app/controllers/aikotoba/unlocks_controller.rb

@@ -2,9 +2,14 @@
 
 module Aikotoba
   class UnlocksController < ApplicationController
-    include Protection::TimingAtack
+    include Protection::RateLimiting
 
-    before_action :prevent_timing_atack, only: [:update]
+    def self.unlock_rate_limit_options
+      Aikotoba.unlock_rate_limit_options
+    end
+    private_class_method :unlock_rate_limit_options
+
+    rate_limit(**unlock_rate_limit_options)
 
     def new
       @account = build_account({email: "", password: ""})
@@ -15,12 +20,11 @@ module Aikotoba
       before_send_unlock_token_process
       send_token_account!(account)
       after_send_unlock_token_process
-      redirect_to success_send_unlock_token_path, flash: {notice: success_send_unlock_token_message}
     rescue ActiveRecord::RecordNotFound => e
       failed_send_unlock_token_process(e)
-      @account = build_account({email: "", password: ""})
-      flash[:alert] = failed_send_unlock_token_message
-      render :new, status: :unprocessable_entity
+    ensure
+      # NOTE: Always show success message to avoid account enumeration.
+      redirect_to success_send_unlock_token_path, flash: {notice: success_send_unlock_token_message}
     end
 
     def update
@@ -46,7 +50,7 @@ module Aikotoba
     end
 
     def send_token_account!(account)
-      Account::Service::Lock.create_unlock_token!(account: account, notify: true)
+      Account::Lock.create_unlock_token!(account: account, notify: true)
     end
 
     def find_by_has_token_account!(params)
@@ -56,16 +60,16 @@ module Aikotoba
     def unlock_account!(account)
       # NOTE: Unlocking is done using URL tokens, so it is done in the writing role.
       ActiveRecord::Base.connected_to(role: :writing) do
-        Account::Service::Lock.unlock!(account: account)
+        Account::Lock.unlock!(account: account)
       end
     end
 
     def after_unlocked_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def success_send_unlock_token_path
-      aikotoba.new_session_path
+      aikotoba_scoped_path(:new_session_path)
     end
 
     def unlocked_message
@@ -76,10 +80,6 @@ module Aikotoba
       I18n.t(".aikotoba.messages.unlocking.sent")
     end
 
-    def failed_send_unlock_token_message
-      I18n.t(".aikotoba.messages.unlocking.failed")
-    end
-
     # NOTE: Methods to override if you want to do something before send unlock token.
     def before_send_unlock_token_process
     end