RubyGems - authentication-zero - Versions diffs - 0.0.15 → 0.0.19 - Mend

authentication-zero 0.0.15 → 0.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 39cf93fc2be059b756c15125cfd0d4e35e0a8f96a803fbfcfb3aa31f64b2a704
-  data.tar.gz: 728fdd4a2af75e207db825c581e8fb1856be8d55b4fbfe6ac19aaa8e373b8557
+  metadata.gz: 4b1eabca1df60e043a1cc139cee3426a19c4a2bb494fcd2ceeb68875baecc126
+  data.tar.gz: ca697e2d442e566a3f3b5fe051ca03840756185edd963679636ad76eaac4f972
 SHA512:
-  metadata.gz: ca7dc09acf69d59ada1e204fb77076731212afadddf77337eccc22466307917eed2e5cc1f11b92eee6bcd8722970a021c4ca48664f92714acd9f4c7579978db0
-  data.tar.gz: fe83d4649cf6c24fbbadecfee09dfdd1d245fb689da031eb187f061df26a9d6704cee1db904aa6c3c7c17763c51665637dd58f20515c08e93a88542c01879991
+  metadata.gz: 9cc259932fe245e5031f48aafa8407ed190f04e56a884eef339cfe04b1f21394dcede01d945f601193783caca66d83404f58817ca50d375d52816061cc05b4f5
+  data.tar.gz: 97b372c3e3598d391d254c6b01819a17100475d108fc10f04b2c2d7d4074feb5a00c4703aebe031ccd0800df43344cee7a8c88601d24c0aceeb7150aeed48997

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (0.0.15)
+    authentication-zero (0.0.19)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -17,15 +17,15 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 ## Security and best practices
-- [Current attributes](https://api.rubyonrails.org/classes/ActiveSupport/CurrentAttributes.html): Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
 - [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password): Adds methods to set and authenticate against a BCrypt password.
 - [has_secure_token](https://api.rubyonrails.org/classes/ActiveRecord/SecureToken/ClassMethods.html#method-i-has_secure_token): Adds methods to generate unique tokens.
-- [authenticate_with_http_token](https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html): Compare the tokens in a time-constant manner, to mitigate timing attacks.
+- [encrypts](https://guides.rubyonrails.org/active_record_encryption.html) Encrypts the session_token on database so if an attacker gained access to your database, a snapshot of it, or your application logs, they wouldn't be able to make sense of the encrypted information.
+- [httponly cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
 - [signed_id](https://api.rubyonrails.org/classes/ActiveRecord/SignedId.html): Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
-- [Http only cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
-- [Log filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
-- [Callbacks](https://api.rubyonrails.org/classes/ActiveRecord/Callbacks.html): We use callbacks to send emails before changing an email or password.
-- [ActionMailer](https://api.rubyonrails.org/classes/ActionMailer/Base.html): Action Mailer allows you to send email from your application using a mailer model and views.
+- [Current Attributes](https://api.rubyonrails.org/classes/ActiveSupport/CurrentAttributes.html): Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
+- [Log Filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
+- [Callbacks](https://api.rubyonrails.org/classes/ActiveRecord/Callbacks.html): We use callbacks to send emails after changing an email or password.
+- [Action Mailer](https://api.rubyonrails.org/classes/ActionMailer/Base.html): Action Mailer allows you to send email from your application using a mailer model and views.
 ## Installation
@@ -38,6 +38,11 @@ gem "authentication-zero"
 Then run `bundle install`
+You'll need to set up active record encryption, run the command below and follow the instructions.
+```
+$ rails db:encryption:init
+```
 You'll need to set the root path in your routes.rb, for this example let's use the following:
 ```ruby

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "0.0.15"
+  VERSION = "0.0.19"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -16,7 +16,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   end
   def create_mailers
-    template "mailers/email_mailer.rb", "app/mailers/email_mailer.rb"
+    template "mailers/email_mailer.rb", "app/mailers/email_mailer.rb"
     template "mailers/password_mailer.rb", "app/mailers/password_mailer.rb"
   end
@@ -59,8 +59,8 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
         private
           def authenticate
-            if #{singular_table_name} = authenticate_with_http_token { |token, _| #{class_name}.find_by_session_token(token) }
-              Current.user = #{singular_table_name}
+            if #{singular_table_name} = authenticate_with_http_token { |t, _| #{class_name}.find_by_session_token(t) }
+              Current.#{singular_table_name} = #{singular_table_name}
             else
               request_http_token_authentication
             end
@@ -73,8 +73,8 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
         private
           def authenticate
-            if #{singular_table_name} = cookies[:session_token] && #{class_name}.find_by_session_token(cookies[:session_token])
-              Current.user = #{singular_table_name}
+            if #{singular_table_name} = #{class_name}.find_by_session_token(cookies[:session_token])
+              Current.#{singular_table_name} = #{singular_table_name}
             else
               redirect_to sign_in_path, alert: "You need to sign in or sign up before continuing"
             end

data/lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt CHANGED Viewed

@@ -7,7 +7,7 @@ class SessionsController < ApplicationController
     if @<%= singular_table_name %>.try(:authenticate, params[:password])
       render json: { session_token: @<%= singular_table_name %>.session_token }
     else
-      render json: { error: "Invalid session token" }, status: :unauthorized
+      render json: { error: "Invalid email or password" }, status: :unauthorized
     end
   end

data/lib/generators/authentication/templates/controllers/html/password_resets_controller.rb.tt CHANGED Viewed

@@ -13,7 +13,7 @@ class PasswordResetsController < ApplicationController
       PasswordMailer.with(<%= singular_table_name %>: @<%= singular_table_name %>).reset.deliver_later
       redirect_to sign_in_path, notice: "You will receive an email with instructions on how to reset your password in a few minutes"
     else
-      redirect_to new_password_resets_path, alert: "The email address doesn't exist in our database"
+      redirect_to new_password_resets_path(email_hint: params[:email]), alert: "The email address doesn't exist in our database"
     end
   end

data/lib/generators/authentication/templates/models/resource.rb.tt CHANGED Viewed

@@ -2,6 +2,8 @@ class <%= class_name %> < ApplicationRecord
   has_secure_password :password
   has_secure_token :session_token
+  encrypts :session_token, deterministic: true
   validates :email, presence: true, uniqueness: true
   validates :email, format: { with: /\A[^@\s]+@[^@\s]+\z/ }
   validates_length_of :password, minimum: 8, allow_blank: true
@@ -21,8 +23,4 @@ class <%= class_name %> < ApplicationRecord
       PasswordMailer.with(<%= singular_table_name %>: self).changed.deliver_later
     end
   end
-  def as_json(options = {})
-    super(options.merge(except: [:password_digest, :session_token]))
-  end
 end

data/lib/generators/authentication/templates/views/password_resets/new.html.erb.tt CHANGED Viewed

@@ -5,7 +5,7 @@
 <%%= form_with(url: password_resets_path) do |form| %>
   <div>
     <%%= form.label :email, style: "display: block" %>
-    <%%= form.email_field :email, autofocus: true, required: true %>
+    <%%= form.email_field :email, value: params[:email_hint], autofocus: true, required: true %>
   </div>
   <div>

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.19
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-17 00:00:00.000000000 Z
+date: 2022-02-18 00:00:00.000000000 Z
 dependencies: []
 description:
 email: