authenticatable 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 907a194f62507d83bdc23c1cee102bf5486544907b880637ca570fbfc55d7f78
+  data.tar.gz: 88a89169c344fa7e23333e41cee068195ffcd0d295ec6709fdcf20a5255a9368
+SHA512:
+  metadata.gz: 721cd0363327e1d76350df5bc14d9e2f668638b512b5fded8b999146d4a5ded469f3be10e591086b0224c12ce82afd37ea5943ae8095e5a330156a50f2848199
+  data.tar.gz: f072a1baefee474141d1b002a59e872a4eef10b3d8e8058a035af5514bcd5e560d690bdff055b076f402eba5186b2c61247790ef8e04bf85e834d82a4532beae

data/LICENSE.md

@@ -0,0 +1,19 @@
+Copyright (c) 2021 The Authenticatable developers.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,144 @@
+Authenticatable 
+==============
+[![RuboCop Github Action](https://github.com/kiqr/authenticatable/actions/workflows/rubocop.yml/badge.svg)](https://github.com/kiqr/authenticatable/actions/workflows/rubocop.yml)
+[![RSpec](https://github.com/kiqr/authenticatable/actions/workflows/rspec.yml/badge.svg)](https://github.com/kiqr/authenticatable/actions/workflows/rspec.yml)
+[![codecov](https://codecov.io/gh/kiqr/authenticatable/branch/main/graph/badge.svg?token=UZMGXQKJRL)](https://codecov.io/gh/kiqr/authenticatable)
+[![MIT License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE.md)
+
+An authentication solution for Rails that works on top of Rails built-in [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html). Authenticatable ships with controllers, helpers, views and model generators. The purpose of Authenticatable is to enable you to kickstart a new Rails project without having to spend time on writing repetitive code that shouldn't have to be repeated in each project.
+
+Authenticatable also ships with some **extra security features** that very often are forgotten by developers and the authors of the many available [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html) tutorials:
+- Protection against [sessions fixation attacks](https://guides.rubyonrails.org/security.html#session-fixation) by clearing the session_id on authentication.
+- Protection against [cross-site request forgery (CSRF)](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) by cleaning up the CSRF Token on authentication.
+- Protection against [timing/enumeration attacks](https://www.kaspersky.com/blog/username-enumeration-attack/34618/) by hashing the password even if a user record isn't found.
+
+#### What's included?
+- Controllers and views for authentication & registration with support for both [turbo](https://github.com/hotwired/turbo-rails) and [turbolinks](https://github.com/turbolinks/turbolinks).
+- Support for multiple authenticatable models (like users/accounts/admins or whatever you want).
+- Custom identifier column (sign in with for example username or phonenumber instead of email).
+- Customizable: Easily override default behaviors with your own.
+
+#### Supported Rails/Ruby versions
+Tests run against Rails versions `~> 5.2.0`, `~> 6.0.0`, `~> 6.1.0` and `~> 7.0.0.alpha2` under Ruby versions `2.6`, `2.7` and `3.0`
+
+Installation
+------------
+
+Add the following line to Gemfile:
+
+```ruby
+gem "authenticatable", github: "kiqr/authenticatable" # Temporary use master as source before stable release.
+```
+
+and run `bundle install` from your terminal to install it.
+
+After you've installed the gem, you can run the generator to create an initializer file that allows further configuration:
+
+```console
+$ rails g authenticatable:install
+```
+
+Getting started
+---------------
+
+The first step is to create an authenticatable model. To generate an authenticatable model run the following command:
+
+```console
+$ rails g authenticatable NAME
+```
+
+This will generate a model with the given ```NAME``` (if one does not exist) with configuration for authenticatable, a migration file and routes. The output should be something similar to:
+
+```console
+foo@bar:~$ rails g authenticatable user
+Running via Spring preloader in process 99920
+      invoke  active_record
+      create    db/migrate/20210909215956_authenticatable_create_users.rb
+      create    app/models/user.rb
+      invoke    test_unit
+      create      test/models/user_test.rb
+      create      test/fixtures/users.yml
+      insert    app/models/user.rb
+       route    authenticatable :users
+```
+
+### Securing your application
+
+To set up a controller with authentication, just add the before_action `authenticate_{scope}!`. To require a `User` to be signed in:
+
+```ruby
+before_action :authenticate_user! # Block unauthenticated requests to the current controller
+```
+
+To restrict your whole application to signed-in users, you can add the before_action above to your ```ApplicationController```.
+
+#### Handling Authenticatable::UnauthenticatedError
+
+The `Authenticatable::UnauthenticatedError` exception is raised when calling `:authenticate_user!` in the controller and no valid user is signed in. You can catch the exception and modify its behavior in the ApplicationController. The behavior may vary depending on the request format and user scope. For example here we set a flash error message and redirect to the sign in page for HTML requests and return 403 Forbidden for JSON requests.
+
+```ruby
+class ApplicationController < ActionController::Base
+  before_action :authenticate_user!
+  rescue_from Authenticatable::UnauthenticatedError do
+    respond_to do |format|
+      format.json { head :forbidden }
+      format.html { redirect_to new_user_session_path, alert: "Please sign in to continue." }
+    end
+  end
+end
+```
+
+Customizing
+-----------
+
+### Views
+You probably want to (and should) modify the default Authenticatable views. To copy the views to your application run the following generator:
+
+```console
+$ rails g authenticatable:views
+```
+
+### Changing the model identifier
+By default, a user is identified by `email` and password when logging in. But maybe you want your users to login using a `username` or something else instead of email. Luckely, that's easy done with Authenticatable:
+
+```ruby
+class User < ApplicationRecord
+  authenticatable
+  
+  # Identifying column to use when looking up an authenticatable record in the database.
+  # Can be for example email or a username. Default is email.
+  identifiy_by :username
+  
+  # You need to create your own validator for your identifier column.
+  validates_presence_of :username
+end
+```
+
+Just make sure that the `username` column exists with a **unique index** in your database:
+
+```shell
+$ rails g migration add_username_to_users username:string:uniq
+```
+
+Contributing
+------------
+If you are interested in reporting/fixing issues and contributing directly to the code base, please see [CONTRIBUTING.md](CONTRIBUTING.md) for more information on what we're looking for and how to get started.
+
+Versioning
+----------
+This library aims to adhere to [Semantic Versioning 2.0.0](http://semver.org/). Violations
+of this scheme should be reported as bugs. Specifically, if a minor or patch
+version is released that breaks backward compatibility, that version should be
+immediately yanked and/or a new version should be immediately released that
+restores compatibility. Breaking changes to the public API will only be
+introduced with new major versions. As a result of this policy, you can (and
+should) specify a dependency on this gem using the [Pessimistic Version
+Constraint](http://guides.rubygems.org/patterns/#pessimistic-version-constraint) with two digits of precision. For example:
+
+```ruby
+gem "authenticatable", "~> 1.0"
+```
+
+License
+-------
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/app/controllers/authenticatable/passwords_controller.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  class PasswordsController < AuthenticatableController
+    before_action :require_unauthenticated!
+
+    def new
+      @resource = resource_class.new
+    end
+
+    def create
+      if (@resource = resource_class.find_by_identifier(identifier))
+        @resource&.reset_password_token!
+        Authenticatable::Mailer.reset_password(@resource, resource_name).deliver_now
+      end
+
+      set_flash_message(:notice, :create, { identifier_column: identifier_column })
+      redirect_to new_password_path(resource_name)
+    end
+
+    def edit
+      @resource = resource_class.find_by_reset_password_token(params[:token])
+      return unless @resource.nil?
+
+      set_flash_message(:alert, :invalid_token)
+      redirect_to new_password_path(resource_name)
+    end
+
+    def update
+      unless (@resource = resource_class.find_by_reset_password_token(params[:token]))
+        set_flash_message(:alert, :invalid_token)
+        return redirect_to new_password_path(resource_name)
+      end
+
+      return render :edit, status: :unprocessable_entity unless @resource.update_password(edit_params)
+
+      set_flash_message(:notice, :updated)
+      redirect_to new_session_path(resource_name)
+    end
+
+    private
+
+    def edit_params
+      params.require(resource_name).permit(:password, :password_confirmation)
+    end
+
+    def identifier
+      params.dig(resource_name, resource_class.identifier_column.to_s)
+    end
+  end
+end

data/app/controllers/authenticatable/registrations_controller.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  class RegistrationsController < AuthenticatableController
+    before_action :require_unauthenticated!
+
+    def new
+      @resource = resource_class.new
+    end
+
+    def create
+      @resource = resource_class.new(create_params)
+      if @resource.save
+        set_flash_message(:notice, :success)
+        redirect_to new_session_path(resource_name)
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    # Strong parameters for the create action (sign in).
+    def create_params
+      params.require(resource_name).permit(:username, :email, :password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/authenticatable/sessions_controller.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  class SessionsController < AuthenticatableController
+    before_action :require_unauthenticated!, except: :destroy
+
+    def new
+      @resource = resource_class.new
+    end
+
+    def create
+      @resource = sign_in(params, :session)
+      if signed_in?
+        set_flash_message(:notice, :success, { identifier: @resource.identifier })
+        redirect_to root_path
+      else
+        set_flash_message(:alert, :invalid_credentials, { identifier: identifier_label.downcase })
+        redirect_to new_session_path(resource_name)
+      end
+    end
+
+    def destroy
+      @resource = authenticatable.authenticate!(resource_name)
+      sign_out(@resource, :session) unless @resource.nil?
+      set_flash_message(:notice, :destroy)
+      redirect_to new_user_session_path
+    end
+
+    private
+
+    def signed_in?
+      !!authenticatable.authenticate(resource_name)
+    end
+
+    # Authenticate and sign in a user with a provided identifier and password
+    def sign_in(params, serializer)
+      identifier = params.dig(resource_name, resource_class.identifier_column.to_s)
+      password = params.dig(resource_name, "password")
+      record = resource_class.authenticate_with_identifier(identifier, password)
+      authenticatable.sign_in(record, serializer) unless record.nil?
+      record || nil
+    end
+
+    # Sign out the passed resource.
+    def sign_out(resource, serializer)
+      authenticatable.sign_out(resource, serializer)
+    end
+  end
+end

data/app/controllers/authenticatable_controller.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+class AuthenticatableController < Authenticatable.config.parent_controller.constantize
+  helper_method :authenticatable_scope, :resource, :resource_name, :resource_class,
+                :identifier_column, :identifier_label
+
+  # Make @resource available in views without @ prefix.
+  # Example:
+  #   resource => @resource
+  attr_reader :resource
+
+  # Convinience method to access request.env["authenticatable"]
+  # Example:
+  #   authenticatable.sign_in() => request.env["authenticatable"].sign_in()
+  def authenticatable
+    @authenticatable ||= request.env["authenticatable"]
+  end
+
+  # Attempt to find the scope for authenticatable based
+  # on env variable set by router constraint.
+  def authenticatable_scope
+    @authenticatable_scope ||= request.env["authenticatable.scope"]
+  end
+
+  # Returns the resource_name from current scope.
+  # Example:
+  #   resource_name => user
+  def resource_name
+    authenticatable_scope.singular_name
+  end
+
+  # Returns the resource_name from current scope.
+  # Example:
+  #   resource_class => User
+  def resource_class
+    authenticatable_scope.klass
+  end
+
+  # Returns the choosen identifier column for the
+  # resource in the current scope.
+  # Example:
+  #   identifier_column => :email
+  delegate :identifier_column, to: :resource_class
+
+  # Returns the choosen identifier column as string.
+  # Example:
+  #   identifier_label => Email
+  def identifier_label
+    identifier_column.to_s.titleize
+  end
+
+  # Redirect to after_signed_in_path if authenticated
+  def require_unauthenticated!
+    redirect_to after_sign_in_path(resource, resource_name) if authenticatable.authenticate(resource_name)
+  end
+
+  protected
+
+  # Sets the flash message with :key, using I18n. By default you are able
+  # to set up your messages using specific resource scope, and if no message is
+  # found we look to the default scope. Set the "now" options key to a true
+  # value to populate the flash.now hash in lieu of the default flash hash (so
+  # the flash message will be available to the current action instead of the
+  # next action).
+  def set_flash_message(key, kind, options = {})
+    return unless flashing_format?
+
+    message = find_message(kind, options)
+    return if message.blank?
+
+    if options[:now]
+      flash.now[key] = message
+    else
+      flash[key] = message
+    end
+  end
+
+  # Find message in I18n translation files.
+  def find_message(kind, options = {})
+    options[:scope] ||= translation_scope
+    I18n.t(kind, **options)
+  end
+
+  # Default translation scope for messages
+  def translation_scope
+    "authenticatable.#{controller_name}"
+  end
+
+  # Check if flash messages should be emitted. Default is to do it on
+  # navigational formats
+  def flashing_format?
+    request.respond_to?(:flash) && navigational_format?
+  end
+
+  # Check if current request format is navigational. Formats like
+  # :html & :turbo_stream should redirect and show flash messages,
+  # but formats like :xml or :json, should return 401
+  def navigational_format?
+    Authenticatable.config.navigational_formats.include?(request.format.try(:ref))
+  end
+end

data/app/mailers/authenticatable/mailer.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Authenticatable
+  class Mailer < Authenticatable.config.parent_mailer.constantize
+    include Authenticatable::Controllers::UrlHelpers
+
+    def reset_password(resource, resource_name)
+      @resource = resource
+      @reset_password_url = edit_password_url(resource_name, @resource.reset_password_token)
+
+      mail(
+        to: @resource.email,
+        subject: I18n.t("authenticatable.passwords.email_subject")
+      )
+    end
+  end
+end

data/app/views/authenticatable/mailer/reset_password.html.erb

@@ -0,0 +1,8 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Someone has requested a link to change your password. You can do this through the link below.</p>
+
+<p><%= link_to 'Change my password', @reset_password_url %></p>
+
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/authenticatable/passwords/_edit_form.html.erb

@@ -0,0 +1,6 @@
+<%= form_for resource, url: update_password_path(resource_name, params[:token]), method: :patch do |f| %>
+  <%= render 'authenticatable/shared/errors', resource: resource %>
+  <%= f.password_field :password, placeholder: "Password" %><br>
+  <%= f.password_field :password_confirmation, placeholder: "Confirm your password" %><br>
+  <%= f.submit "Reset password" %>
+<% end %>

data/app/views/authenticatable/passwords/_new_form.html.erb

@@ -0,0 +1,6 @@
+<%= form_for resource, url: password_path(resource_name), method: :create do |f| %>
+  <%= render 'authenticatable/shared/errors', resource: resource %>
+
+  <%= f.text_field identifier_column, placeholder: identifier_label %>
+  <%= f.submit 'Reset password' %>
+<% end %>

data/app/views/authenticatable/passwords/edit.html.erb

@@ -0,0 +1,7 @@
+<h2>Reset your password</h2>
+
+<%= render 'authenticatable/shared/flash_messages' %>
+
+<%= render 'edit_form' %>
+
+<%= render 'authenticatable/shared/links' %>

data/app/views/authenticatable/passwords/new.html.erb

@@ -0,0 +1,7 @@
+<h2>Reset your password</h2>
+
+<%= render 'authenticatable/shared/flash_messages' %>
+
+<%= render 'new_form' %>
+
+<%= render 'authenticatable/shared/links' %>

data/app/views/authenticatable/registrations/_form.html.erb

@@ -0,0 +1,12 @@
+<%= form_for resource, url: registration_path(resource_name) do |f| %>
+  <%= render 'authenticatable/shared/errors', resource: resource %>
+
+  <% unless identifier_column == :email %>
+    <%= f.text_field identifier_column, placeholder: identifier_label %>
+  <% end %>
+
+  <%= f.text_field :email, placeholder: 'Email' %>
+  <%= f.password_field :password, placeholder: 'Password' %>
+  <%= f.password_field :password_confirmation, placeholder: 'Confirm your password' %>
+  <%= f.submit 'Sign up' %>
+<% end %>

data/app/views/authenticatable/registrations/new.html.erb

@@ -0,0 +1,5 @@
+<h2>Sign up</h2>
+
+<%= render 'form' %>
+
+<%= render 'authenticatable/shared/links' %>

data/app/views/authenticatable/sessions/_form.html.erb

@@ -0,0 +1,5 @@
+<%= form_for resource, url: session_path(resource_name) do |f| %>
+  <%= f.text_field identifier_column, placeholder: identifier_label %>
+  <%= f.password_field :password, placeholder: 'Password' %>
+  <%= f.submit 'Sign in' %>
+<% end %>

data/app/views/authenticatable/sessions/new.html.erb

@@ -0,0 +1,7 @@
+<h2>Sign in</h2>
+
+<%= render 'authenticatable/shared/flash_messages' %>
+
+<%= render 'form' %>
+
+<%= render 'authenticatable/shared/links' %>

data/app/views/authenticatable/shared/_errors.html.erb

@@ -0,0 +1,7 @@
+<% if resource.errors.any? %>
+  <ul>
+  <% resource.errors.full_messages.each do |message| %>
+    <li><%= message %></li>
+  <% end %>
+  </ul>
+<% end %>

data/app/views/authenticatable/shared/_flash_messages.html.erb

@@ -0,0 +1,3 @@
+<% flash.each do |key, value| %>
+  <%= content_tag :div, value, class: "flash #{key}" %>
+<% end %>

data/app/views/authenticatable/shared/_links.html.erb

@@ -0,0 +1,12 @@
+<% if authenticatable_scope.registrations? && controller_name != 'registrations' %>
+  Don't have an account? <%= link_to 'Sign up', new_registration_path(resource_name) %><br>
+<% end %>
+
+<% if authenticatable_scope.sessions? && controller_name != 'sessions' %>
+  Already have an account? <%= link_to 'Sign in', new_session_path(resource_name) %><br>
+<% end %>
+
+<% if authenticatable_scope.passwords? && controller_name != 'passwords' %>
+  <%= link_to 'Forgot your password?', new_password_path(resource_name) %><br>
+<% end %>
+

data/config/locales/en.yml

@@ -0,0 +1,14 @@
+en:
+  authenticatable:
+    sessions:
+      success: "Welcome back, %{identifier}"
+      invalid_credentials: "Invalid %{identifier} or password."
+      destroy: You've successfully signed out.
+      destroy_failed: Something went wrong. Couldn't sign you out.
+    registrations:
+      success: You've successfully signed up!
+    passwords:
+      create: We've sent you an email with instructions on how to reset your password.
+      email_subject: Reset your password.
+      invalid_token: Your reset password token has expired. Please request a new one to reset your password.
+      updated: Your password was successfully updated. Sign in with your new password below.

data/lib/authenticatable/controllers/helpers.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Authenticatable
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+      include Authenticatable::Controllers::UrlHelpers
+
+      # Check if the current controller is a AuthenticatableController
+      def authenticatable_controller?
+        is_a?(::AuthenticatableController)
+      end
+
+      class << self
+        # Dynamically define helpers methods for the given scope
+        # For example, current_user, authenticate_user! and user_signed_in? will
+        # be generated for an authenticatable User model.
+        def define_helpers(scope)
+          scope = scope.to_s
+
+          define_current_helper(scope)
+          define_signed_in_helper(scope)
+          define_authenticate_helper(scope)
+
+          # Make current_{scope} and {scope}_signed_in? available as helpers in views.
+          ActiveSupport.on_load(:action_controller) do
+            helpers = "current_#{scope}", "#{scope}_signed_in?"
+            helper_method helpers if respond_to?(:helper_method)
+          end
+        end
+
+        def define_current_helper(scope)
+          class_eval <<-METHOD, __FILE__, __LINE__ + 1
+            # def current_user
+            #   @current_user ||= request.env["authenticatable"].authenticate(:user)
+            # end
+
+            def current_#{scope}
+              @current_#{scope} ||= request.env["authenticatable"].authenticate(:#{scope})
+            end
+          METHOD
+        end
+
+        def define_signed_in_helper(scope)
+          class_eval <<-METHOD, __FILE__, __LINE__ + 1
+            # def user_signed_in?
+            #   !!current_user
+            # end
+
+            def #{scope}_signed_in?
+              !!current_#{scope}
+            end
+          METHOD
+        end
+
+        def define_authenticate_helper(scope)
+          class_eval <<-METHOD, __FILE__, __LINE__ + 1
+            # def authenticate_user!
+            #   request.env["authenticatable"].authenticate!(:user) unless authenticatable_controller?
+            # end
+
+            def authenticate_#{scope}!
+              request.env["authenticatable"].authenticate!(:#{scope}) unless authenticatable_controller?
+            end
+          METHOD
+        end
+      end
+    end
+  end
+end