authenticatable 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 907a194f62507d83bdc23c1cee102bf5486544907b880637ca570fbfc55d7f78
-  data.tar.gz: 88a89169c344fa7e23333e41cee068195ffcd0d295ec6709fdcf20a5255a9368
+  metadata.gz: 1414dc1c8d7fe94e26249b1cec20c7d86996ea16829009f46cb87997170a6a7e
+  data.tar.gz: a67cef5b6641aa31aa924a7d660a934cba001aad953367c9db4fa92c75097ccf
 SHA512:
-  metadata.gz: 721cd0363327e1d76350df5bc14d9e2f668638b512b5fded8b999146d4a5ded469f3be10e591086b0224c12ce82afd37ea5943ae8095e5a330156a50f2848199
-  data.tar.gz: f072a1baefee474141d1b002a59e872a4eef10b3d8e8058a035af5514bcd5e560d690bdff055b076f402eba5186b2c61247790ef8e04bf85e834d82a4532beae
+  metadata.gz: d543450bac7a6b03b392906d36f984c6541e6aeab78db0c511553ef963396fc72096bbf1c941d39ddd4b5c5b20eeaedca98c880f66db7194d2e7f6274f03fa5d
+  data.tar.gz: 9eefefb04397c1514872be68dd67ceb710dc6696f1550213481d2a8161f2bc3e862ff0636edf912b56598eb5b0f14be38fb31d004a6b3504e7401601e73b6d5c

data/README.md

@@ -13,8 +13,8 @@ Authenticatable also ships with some **extra security features** that very often
 - Protection against [timing/enumeration attacks](https://www.kaspersky.com/blog/username-enumeration-attack/34618/) by hashing the password even if a user record isn't found.
 
 #### What's included?
-- Controllers and views for authentication & registration with support for both [turbo](https://github.com/hotwired/turbo-rails) and [turbolinks](https://github.com/turbolinks/turbolinks).
-- Support for multiple authenticatable models (like users/accounts/admins or whatever you want).
+- Controllers and views for authentication, registration & reset password with support for both [turbo](https://github.com/hotwired/turbo-rails) and [turbolinks](https://github.com/turbolinks/turbolinks).
+- Support for multiple user models (like users/accounts/admins or whatever you want).
 - Custom identifier column (sign in with for example username or phonenumber instead of email).
 - Customizable: Easily override default behaviors with your own.
 
@@ -27,17 +27,11 @@ Installation
 Add the following line to Gemfile:
 
 ```ruby
-gem "authenticatable", github: "kiqr/authenticatable" # Temporary use master as source before stable release.
+gem "authenticatable", "~> 1.0"
 ```
 
 and run `bundle install` from your terminal to install it.
 
-After you've installed the gem, you can run the generator to create an initializer file that allows further configuration:
-
-```console
-$ rails g authenticatable:install
-```
-
 Getting started
 ---------------
 
@@ -74,7 +68,7 @@ To restrict your whole application to signed-in users, you can add the before_ac
 
 #### Handling Authenticatable::UnauthenticatedError
 
-The `Authenticatable::UnauthenticatedError` exception is raised when calling `:authenticate_user!` in the controller and no valid user is signed in. You can catch the exception and modify its behavior in the ApplicationController. The behavior may vary depending on the request format and user scope. For example here we set a flash error message and redirect to the sign in page for HTML requests and return 403 Forbidden for JSON requests.
+The `Authenticatable::UnauthenticatedError` exception is raised when calling `:authenticate_user!` in the controller and no valid user is signed in. You can catch the exception and modify its behaviour in the ApplicationController. The behavior may vary depending on the request format and user scope. For example here we set a flash error message and redirect to the sign in page for HTML requests and return 403 Forbidden for JSON requests.
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -107,7 +101,7 @@ class User < ApplicationRecord
   
   # Identifying column to use when looking up an authenticatable record in the database.
   # Can be for example email or a username. Default is email.
-  identifiy_by :username
+  identify_by :username
   
   # You need to create your own validator for your identifier column.
   validates_presence_of :username

data/lib/authenticatable/models/email_validator.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "active_support/concern"
-require "valid_email2"
 
 module Authenticatable
   module Models

data/lib/authenticatable/models.rb

@@ -27,9 +27,6 @@ module Authenticatable
         opts[:skip] = [opts[:skip]].flatten
         opts[:skip].each { |s| @authenticatable_extensions.delete(s) } if opts[:skip].present?
 
-        # Load extensions into model
-        load_core_mixins
-
         # Load extensions into model
         load_model_extensions
       end
@@ -54,14 +51,6 @@ module Authenticatable
           @authenticatable_loaded_extensions << module_name
         end
       end
-
-      # Concerns that should be included to the authenticatable model if
-      # initialized with the 'authenticatable'-method above.
-      def load_core_mixins
-        include Authenticatable::Models::EmailValidator
-        include Authenticatable::Models::Identifier
-        include Authenticatable::Models::Password
-      end
     end
   end
 end

data/lib/authenticatable/rspec.rb

@@ -2,7 +2,9 @@
 
 require "rspec/rails"
 require "authenticatable/testing/controller_helpers"
+require "authenticatable/testing/request_helpers"
 
 RSpec.configure do |config|
   config.include Authenticatable::Testing::ControllerHelpers, type: :controller
+  config.include Authenticatable::Testing::RequestHelpers, type: :request
 end

data/lib/authenticatable/serializers/session.rb

@@ -16,6 +16,8 @@ module Authenticatable
       # Usage:
       #   serializer.store(@resource)
       def store(id)
+        delete_csrf_token
+        renew_session_id
         request.session[session_key] = id
       end
 
@@ -28,6 +30,19 @@ module Authenticatable
 
       private
 
+      # Protection against sessions fixation attacks by clearing the session_id on authentication.
+      def renew_session_id
+        return if request.env["rack.session.options"].blank?
+
+        request.env["rack.session.options"][:renew] = true
+      end
+
+      # Protect against cross-site request forgery (CSRF) by cleaning up the CSRF Token on authentication.
+      def delete_csrf_token
+        request.session.delete("_csrf_token")
+      end
+
+      # Returns the session key for a scoped authenticatable session.
       def session_key
         :"authenticatable_#{@scope}_id"
       end

data/lib/authenticatable/testing/request_helpers.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  module Testing
+    module RequestHelpers
+      def sign_in(resource, resource_name = "user", path = "/users/sign_in")
+        post path, params: { "#{resource_name}": {
+          email: resource.email,
+          password: resource.password
+        } }
+      end
+    end
+  end
+end

data/lib/authenticatable/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Authenticatable
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/lib/authenticatable.rb

@@ -35,7 +35,7 @@ module Authenticatable
   #                    includes a Warden Strategy for authentication with password. It does also
   #                    add password validations to your authenticatable model.
   #
-  setting :default_extensions, %i[password]
+  setting :default_extensions, %i[identifier password email_validator]
 
   # Default column to use when looking up an authenticatable record in the database.
   # Can be for example email or a username. Default is :email. This can also be changed
@@ -46,6 +46,9 @@ module Authenticatable
   #
   setting :default_identifier, :email
 
+  # Set the default user scope
+  setting :default_scope, :user
+
   # The controller class that all Authenticatable controllers will inherit from.
   # Defaults to `ApplicationController`.
   setting :parent_controller, "ApplicationController"

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Rasmus Kjellberg
 - KIQR
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-02 00:00:00.000000000 Z
+date: 2021-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -39,21 +39,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.11.0
-- !ruby/object:Gem::Dependency
-  name: valid_email2
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.0.0
-description:
+description: 
 email: hello@kiqr.dev
 executables: []
 extensions: []
@@ -99,6 +85,7 @@ files:
 - lib/authenticatable/serializers/base.rb
 - lib/authenticatable/serializers/session.rb
 - lib/authenticatable/testing/controller_helpers.rb
+- lib/authenticatable/testing/request_helpers.rb
 - lib/authenticatable/token.rb
 - lib/authenticatable/version.rb
 - lib/generators/active_record/authenticatable_generator.rb
@@ -114,7 +101,7 @@ metadata:
   bug_tracker_uri: https://github.com/kiqr/authenticatable/issues
   documentation_uri: https://github.com/kiqr/authenticatable/issues
   source_code_uri: https://github.com/kiqr/authenticatable
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -129,8 +116,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.26
-signing_key:
+rubygems_version: 3.2.3
+signing_key: 
 specification_version: 4
 summary: Authentication solution for Ruby on Rails
 test_files: []