authenticatable 1.0.0

data/lib/authenticatable/controllers/url_helpers.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Authenticatable
+  module Controllers
+    module UrlHelpers
+      extend ActiveSupport::Concern
+
+      included do
+        if respond_to?(:helper_method)
+          helper_method :session_path, :new_session_path,
+                        :registration_path, :new_registration_path,
+                        :new_password_path, :password_path, :edit_password_url, :update_password_path
+        end
+      end
+
+      # Helper methods to generate a generic path helpers dynamically
+      # in views, based on the current scope.
+      # Example: session_path('user') => user_session_path
+      def new_session_path(resource_name)
+        :"new_#{resource_name}_session"
+      end
+
+      def session_path(resource_name)
+        :"#{resource_name}_session"
+      end
+
+      def new_registration_path(resource_name)
+        :"new_#{resource_name}_registration"
+      end
+
+      def registration_path(resource_name)
+        :"#{resource_name}_registration"
+      end
+
+      def new_password_path(resource_name)
+        :"new_#{resource_name}_password"
+      end
+
+      def password_path(resource_name)
+        :"#{resource_name}_password"
+      end
+
+      def update_password_path(resource_name, token)
+        public_send("update_#{resource_name}_password_path", token: token)
+      end
+
+      def edit_password_url(resource_name, token)
+        public_send("edit_#{resource_name}_password_url", token: token)
+      end
+
+      # End generic path helpers.
+
+      # The default url to redirect to after sign in. This URL
+      # can be overriden in your ApplicationController like this:
+      #
+      #   def after_sign_in_path(resource)
+      #     dashboard_path
+      #   end
+      #
+      def after_sign_in_path(_resource, _resource_name)
+        root_url
+      end
+    end
+  end
+end

data/lib/authenticatable/controllers.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "authenticatable/controllers/url_helpers"
+require "authenticatable/controllers/helpers"
+
+module Authenticatable
+  module Controllers
+  end
+end

data/lib/authenticatable/engine.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  # Makes Authenticatable available to Rails on initializing by injecting the
+  # Authenticatable manager into Rack middlewares.
+  class Engine < ::Rails::Engine
+    config.app_middleware.use(Authenticatable::Manager)
+
+    initializer "authenticatable.setup" do
+      # Make authenticatable helpers available on controllers.
+      ActionController::Base.include Authenticatable::Controllers::Helpers
+
+      # Make authenticatable method available on models.
+      ActiveRecord::Base.include Authenticatable::Models
+    end
+  end
+end

data/lib/authenticatable/errors/unauthenticated_error.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  class UnauthenticatedError < StandardError
+  end
+end

data/lib/authenticatable/errors.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require "authenticatable/errors/unauthenticated_error"
+
+module Authenticatable
+end

data/lib/authenticatable/manager.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  # The middleware for Rack Authentication that injects the authentication
+  # session into the rack environment hash.
+  class Manager
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["authenticatable"] = Authenticatable::Proxy.new(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/authenticatable/models/email_validator.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+require "valid_email2"
+
+module Authenticatable
+  module Models
+    module EmailValidator
+      extend ActiveSupport::Concern
+
+      included do
+        validates :email, presence: true, uniqueness: true
+        validates_format_of :email, with: Authenticatable.config.email_regexp
+      end
+    end
+  end
+end

data/lib/authenticatable/models/identifier.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Authenticatable
+  module Models
+    module Identifier
+      extend ActiveSupport::Concern
+
+      # Since the identifier_column can be set dynamically (to for example email or username)
+      # we'll need a common attribute to access the authenticated resource identifier.
+      def identifier
+        self[self.class.identifier_column]
+      end
+
+      class_methods do
+        # Search for a resource by the choosen identifier.
+        # find_by_identifier('foo@bar.com') is equivalent to find_by(email: 'foo@bar.com')
+        def find_by_identifier(value)
+          find_by("#{identifier_column}": normalize_identifier(value))
+        end
+
+        # Ensure identifier is a downcase string without spaces.
+        # Example:
+        #   fOo@b aR.com => foo@bar.com
+        def normalize_identifier(identifier)
+          identifier.to_s.downcase.gsub(/\s+/, "")
+        end
+
+        # Identifying column to use when looking up an authenticatable record in the database.
+        # Can be for example email or a username. Default is email.
+        def identifier_column
+          @identifier_column || Authenticatable.config.default_identifier
+        end
+
+        # Convient method to update the identifier_column.
+        def identify_by(column)
+          @identifier_column = column
+        end
+      end
+    end
+  end
+end

data/lib/authenticatable/models/password.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+require "bcrypt"
+
+module Authenticatable
+  module Models
+    module Password
+      extend ActiveSupport::Concern
+
+      included do
+        has_secure_password
+        validates_presence_of :password_confirmation, if: :password_digest_changed?
+        validates :password, length: Authenticatable.config.password_length, if: :password_digest_changed?
+      end
+
+      class_methods do
+        def authenticate_with_identifier(identifier, password)
+          if (resource = find_by_identifier(identifier))
+            resource&.authenticate(password) ? resource : nil
+          else
+            prevent_timing_attack
+          end
+        end
+
+        def find_by_reset_password_token(token)
+          return nil if token.blank?
+
+          expiration_time = Authenticatable.config.reset_password_expiration_time
+          where(reset_password_token: token).where("reset_password_sent_at > ?", expiration_time.ago).first
+        end
+
+        # Hash a random password even when a resource doesn't exist for the given identifier.
+        # This is necessary to protect against timing/enumeration attacks - e.g. the request
+        # is faster when a resource doesn't exist in the database if the password hashing
+        # algorithm is not called.
+        def prevent_timing_attack
+          new(password: "*")
+          nil
+        end
+      end
+
+      # Sets the :reset_password_token attribute to a random token
+      # generated by Authenticatable::Token
+      def flush_reset_password_token
+        self.reset_password_token = Authenticatable::Token.new
+        self.reset_password_sent_at = Time.current
+      end
+
+      # Sets the :reset_password_token attribute to a random token
+      # generated by Authenticatable::Token and saves the record
+      # without running validations.
+      def reset_password_token!
+        flush_reset_password_token
+        save(validate: false)
+      end
+
+      # Validates and sets the new password from secure_params and
+      # sets reset_password_token to nil.
+      def update_password(secure_params)
+        if secure_params[:password].blank?
+          errors.add(:password, :blank)
+          return false
+        end
+
+        self.password = secure_params[:password]
+        self.password_confirmation = secure_params[:password_confirmation]
+        flush_reset_password_token if valid?
+        save
+      end
+    end
+  end
+end

data/lib/authenticatable/models.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "authenticatable/models/email_validator"
+require "authenticatable/models/identifier"
+require "authenticatable/models/password"
+require "active_support/concern"
+
+module Authenticatable
+  module Models
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      attr_accessor :authenticatable_extensions, :authenticatable_loaded_extensions
+
+      def authenticatable(*extensions)
+        opts = extensions.extract_options!
+
+        # Add default extensions to class variable @authenticatable_extensions. These are added to a global accessible
+        # class var, so that we can access them from other places, like in extensions, views or controllers.
+        @authenticatable_extensions = (Authenticatable.config.default_extensions + extensions).uniq
+
+        # We'll add extensions here while they loaded. Can be useful for debugging
+        @authenticatable_loaded_extensions = []
+
+        # Remove extensions that are specified in the :skip attribute from the @authenticatable_extensions
+        # array. This can be useful if you for example want to disable any of the default extensions.
+        opts[:skip] = [opts[:skip]].flatten
+        opts[:skip].each { |s| @authenticatable_extensions.delete(s) } if opts[:skip].present?
+
+        # Load extensions into model
+        load_core_mixins
+
+        # Load extensions into model
+        load_model_extensions
+      end
+
+      private
+
+      # Loads extension concerns/mixins into the model class if it can find a module with
+      # the classified extension name in the Authenticatable::Models namespace.
+      #
+      # Example:
+      #   authenticatable extensions: { :email_validator }
+      # will include a module with name (if it exists):
+      #   Authenticatable::Models::EmailValidator
+      #
+      def load_model_extensions
+        @authenticatable_extensions.each do |extension|
+          module_name = "Authenticatable::Models::#{extension.to_s.classify}"
+          next unless const_defined?(module_name)
+
+          extension_module = const_get(module_name)
+          include extension_module
+          @authenticatable_loaded_extensions << module_name
+        end
+      end
+
+      # Concerns that should be included to the authenticatable model if
+      # initialized with the 'authenticatable'-method above.
+      def load_core_mixins
+        include Authenticatable::Models::EmailValidator
+        include Authenticatable::Models::Identifier
+        include Authenticatable::Models::Password
+      end
+    end
+  end
+end

data/lib/authenticatable/proxy.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  # The authenticatable session, persisted in env["authenticatable"]
+  class Proxy
+    def initialize(env)
+      @env = env
+      @current = {}
+      @config = Authenticatable.config
+    end
+
+    # Check if the given scope is already signed in or else run authenticated strategies it.
+    # This does not halt the flow of control and is a passive attempt to authenticate only.
+    # :api: public
+    def authenticate(scope)
+      current?(scope) || run_serializers_for(scope) || nil
+    end
+
+    # Same as +authenticate+ except on failure it will trow a
+    # :unauthenticated symbol.
+    # :api: public
+    def authenticate!(scope)
+      unless (resource = authenticate(scope))
+        raise Authenticatable::UnauthenticatedError
+      end
+
+      resource
+    end
+
+    # Add a resource/scope into the @current hash. This method is called after an authentication
+    # strategy has succeeded, but can also be used in tests/debugging to manually sign in a user.
+    #
+    # PLEASE NOTICE that this method DOES NOT perform any authentication strategies.
+    # To authenticate a user, you must use the +authenticate+ method instead.
+    def sign_in(resource, serializer = nil)
+      scope = scope_from_resource(resource)
+      @current[scope] = resource
+
+      unless serializer.nil?
+        klass = initialize_serializer(scope, serializer)
+        klass.store(resource.id)
+      end
+
+      resource
+    end
+
+    # Remove a resource/scope from the @current hash
+    def sign_out(resource, serializer = nil)
+      scope = scope_from_resource(resource)
+      @current[scope] = nil
+
+      unless serializer.nil?
+        klass = initialize_serializer(scope, serializer)
+        klass.purge!
+      end
+
+      true
+    end
+
+    # Provides access to the user object in a given scope for a request.
+    # Will be nil if not logged in or an instance of the resource if logged in.
+    #
+    # Examples:
+    #   env['authenticatable'].current?(:user) => #<User>
+    #   env['authenticatable'].current?(:admin) => #<Admin>
+    def current?(scope)
+      scope = scope.to_sym # Make sure to always use symbols.
+      @current[scope]
+    end
+
+    private
+
+    # :api: private
+    def run_serializers_for(scope)
+      serializers = %i[session]
+      serializers.each do |name|
+        serializer = initialize_serializer(scope, name)
+        if (record = serializer.fetch)
+          sign_in(record)
+          return record
+        end
+      end
+      nil
+    end
+
+    # Return a constantized class by scope name.
+    def initialize_serializer(scope, name)
+      class_name = name.to_s.classify
+      klass = "Authenticatable::Serializers::#{class_name}".constantize
+      klass.new(@env, scope)
+    end
+
+    # Convert an instance to a scope symbol by
+    # returning the param_key from ActiveModel#model_name
+    # Examples:
+    #   scope_from_resource(#<User>) => :user
+    #   scope_from_resource(#<Admin>) => :admin
+    def scope_from_resource(resource)
+      scope = resource.model_name.param_key
+      scope.to_sym # Make sure to always use symbols.
+    end
+  end
+end

data/lib/authenticatable/rails/routes.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Routing
+    class Mapper
+      def authenticatable(resource, options = {})
+        # Placeholder method for authenticatable generator.
+        scope = Authenticatable.add_scope(resource, options)
+        authenticatable_scope scope do
+          authenticatable_sessions(scope)
+          authenticatable_registrations(scope)
+          authenticatable_passwords(scope)
+        end
+      end
+
+      protected
+
+      def authenticatable_scope(scope, &block)
+        constraint = lambda do |request|
+          request.env["authenticatable.scope"] = scope
+          true
+        end
+
+        constraints(constraint) do
+          scope scope.path, as: scope.singular_name, &block
+        end
+      end
+
+      def authenticatable_sessions(scope)
+        return if scope.skip.include? :sessions
+
+        resource :session, only: [], path: "", controller: scope.controllers[:sessions] do
+          get :new, path: scope.path_names[:sign_in], as: :new
+          post :create, path: scope.path_names[:sign_in]
+          match :destroy, path: scope.path_names[:sign_out], as: :destroy,
+                          via: Authenticatable.config.allowed_sign_out_methods
+        end
+      end
+
+      def authenticatable_registrations(scope)
+        return if scope.skip.include? :registrations
+
+        resource :registration, only: [], path: "", controller: scope.controllers[:registrations] do
+          get :new, path: scope.path_names[:sign_up], as: :new
+          post :create, path: scope.path_names[:sign_up]
+        end
+      end
+
+      def authenticatable_passwords(scope)
+        return if scope.skip.include? :passwords
+
+        resource :password, only: [], path: "", controller: scope.controllers[:passwords] do
+          get :new, path: scope.path_names[:forgot_password], as: :new
+          post :create, path: scope.path_names[:forgot_password]
+          get :edit, path: scope.path_names[:reset_password], as: :edit
+          patch :update, path: scope.path_names[:reset_password], as: :update
+        end
+      end
+    end
+  end
+end

data/lib/authenticatable/rspec.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "rspec/rails"
+require "authenticatable/testing/controller_helpers"
+
+RSpec.configure do |config|
+  config.include Authenticatable::Testing::ControllerHelpers, type: :controller
+end

data/lib/authenticatable/scope.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/inflections"
+
+# rubocop:disable Layout/EmptyLinesAroundAttributeAccessor
+module Authenticatable
+  class Scope
+    # The resource name added by the authenticatable-route (for example :users)
+    attr_accessor :name
+    @name = nil
+
+    # The resource name converted to singluar (used by for example url helpers)
+    #   authenticatable :users generates helper methods like:
+    #   new_user_session_path and user_signed_in?
+    attr_accessor :singular_name
+    @singular_name = nil
+
+    # The resource name converted to plural (used to generate controllers etc). This is used
+    # as a fallback in case the user defines a resource in plural like:
+    #   authenticatable :user
+    attr_accessor :plural_name
+    @plural_name = nil
+
+    # You can customize a resource path to something other than the default,
+    # including the possibility to change path for I18n:
+    #    authenticatable :users, { path: I18n.translate('routes.account') }
+    attr_accessor :path
+    @path = {}
+
+    # You can customize a resource's path_names to something other than the default,
+    # including the possibility to change path names for I18n:
+    #    authenticatable :users, { path_names: { sign_in: I18n.translate('routes.login') } }
+    attr_accessor :path_names
+    @path_names = {}
+
+    # You can also specify another controller than the default one in case you
+    # want to override some controller actions.
+    attr_accessor :controllers
+    @controllers = {}
+
+    # You can also specify controllers you want to skip. For example if you
+    # want to disable registrations for an Admin resource.
+    attr_accessor :skip
+    @skip = {}
+
+    # Create a new Scope resource that can be added to Authenticatable.scopes
+    def initialize(resource_name, options = {})
+      @name = resource_name.to_s
+      @singular_name = ActiveSupport::Inflector.singularize(resource_name)
+      @plural_name = ActiveSupport::Inflector.pluralize(resource_name)
+      @path = options[:path] || default_path
+      @path_names = default_path_names.merge(options[:path_names] || {})
+      @controllers = default_controllers.merge(options[:controllers] || {})
+      @skip = *options[:skip]
+      @skip = @skip.map(&:to_sym)
+    end
+
+    def classify
+      ActiveSupport::Inflector.classify @singular_name
+    end
+
+    def klass
+      classify.constantize
+    end
+
+    # Create magic predicates for verifying that a
+    # controller exists and hasn't been skipped for
+    # the current scope in routes.rb.
+    #
+    # Example
+    #   current_scope.registrations? => false
+    # when registrations are skipped in routes:
+    #   authenticatable :admins, skip: [:registrations]
+    #
+    # rubocop:disable Style/MissingRespondToMissing
+    def method_missing(method_name)
+      @controllers.each do |controller, _routes|
+        return @skip.exclude?(controller) if method_name.to_s == "#{controller}?"
+      end
+
+      super # return NoMethodError
+    end
+    # rubocop:enable Style/MissingRespondToMissing
+
+    private
+
+    def default_path
+      @plural_name
+    end
+
+    def default_path_names
+      {
+        sign_in: "sign_in",
+        sign_up: "sign_up",
+        sign_out: "sign_out",
+        forgot_password: "forgot_password",
+        reset_password: "reset_password"
+      }
+    end
+
+    def default_controllers
+      {
+        sessions: "authenticatable/sessions",
+        registrations: "authenticatable/registrations",
+        passwords: "authenticatable/passwords"
+      }
+    end
+  end
+end
+# rubocop:enable Layout/EmptyLinesAroundAttributeAccessor

data/lib/authenticatable/serializers/base.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  module Serializers
+    class Base
+      # :api: public
+      attr_accessor :env, :scope, :record
+
+      # Initialize and prepare variables.
+      def initialize(env, scope)
+        @env = env
+        @scope = scope
+        @record = nil
+      end
+
+      # Access scope settings for current scope that was set in routes.rb
+      def current_scope
+        Authenticatable.scopes[scope.to_sym]
+      end
+
+      # Access the class for the current scope.
+      # For example if the current scope is "user":
+      #   resource_class.find(:id) == User.find(:id)
+      def resource_class
+        current_scope.klass
+      end
+
+      # Convenience access the rack request.
+      def request
+        @request ||= Rack::Request.new(@env)
+      end
+
+      # Delegate #params to request#params.
+      # Example:
+      #   params["foo"] == request.params["foo"]
+      delegate :params, to: :request
+    end
+  end
+end

data/lib/authenticatable/serializers/session.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  module Serializers
+    class Session < Authenticatable::Serializers::Base
+      # Fetch record from Rack session.
+      # Example:
+      #   serializer.fetch(:user) => <#User>
+      def fetch
+        return nil unless (record_id = request.session[session_key])
+
+        resource_class.find_by(id: record_id)
+      end
+
+      # Store record id in Rack session.
+      # Usage:
+      #   serializer.store(@resource)
+      def store(id)
+        request.session[session_key] = id
+      end
+
+      # Delete record id from Rack session
+      # Usage:
+      #   serializer.purge
+      def purge!
+        request.session.delete(session_key)
+      end
+
+      private
+
+      def session_key
+        :"authenticatable_#{@scope}_id"
+      end
+    end
+  end
+end