RubyGems - authentication-zero - Versions diffs - 1.0.2 → 2.1.1 - Mend

authentication-zero 1.0.2 → 2.1.1

Files changed (55) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c038ff0229826dcb0ef7416e95f41ef7e18a01a7e5993a3995eb992c2a21a44a
-  data.tar.gz: 6295fb855b41a0ea8242916c18c40686f41d6f32e83fe66ed8922fe3b2c24ee7
+  metadata.gz: 44c36959694f55d09ae33d82d3dbe2091a49372c4792eda84bfddf94c62b636c
+  data.tar.gz: 9d4b642209fe681865973ad1a5b13bd8bba1bf63140ae49acfe25923ce085514
 SHA512:
-  metadata.gz: fbbbb3287c24e23260ca3ad7adcc206c864f02843c255c111b6c1f06fd822581db35c522358dfa60a626e83bb2eb0f8494274847185a122f9cd90726c94ae2cf
-  data.tar.gz: fb427adb9595073f03b76bba0683cafd5ce9a699b25d79bbd4df2902abc7f4643f326a4b25c017ce6ab98b7e21d69d0532539aaeec8a018c3d69b7fd597f4d81
+  metadata.gz: cbc64b8248e0bf392983bb19a3034b76471dc54511cb7ffee7ed122bb3c7f1424ec4211b11b5d0026395d622c1e6d6b35c3be09710f5617f45db2daece00ec49
+  data.tar.gz: f3ccd41d8f2c417918cf65c7124fc597355d07bc96ba509bba12174d5161df33b2434a3af76a67f2e23de020f7cec549fc8a326619643373e4c05eb1b799c4bd

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (1.0.2)
+    authentication-zero (2.1.1)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -4,26 +4,24 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 ## Features
+- **Simplest code ever**
 - Sign up
 - Email and password validations
 - Reset the user password and send reset instructions
 - Authentication by cookie (html)
 - Authentication by token (api)
-- Remember me (html)
-- Send e-mail when email is changed
-- Send e-mail when password is changed
+- Send e-mail when sign-in to your account
+- Manage multiple sessions
 - Cancel my account
 - Log out
 ## Security and best practices
 - [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password): Adds methods to set and authenticate against a BCrypt password.
-- [has_secure_token](https://api.rubyonrails.org/classes/ActiveRecord/SecureToken/ClassMethods.html#method-i-has_secure_token): Adds methods to generate unique tokens.
 - [signed cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from the cookie again.
 - [httponly cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
 - [signed_id](https://api.rubyonrails.org/classes/ActiveRecord/SignedId.html): Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
 - [Current attributes](https://api.rubyonrails.org/classes/ActiveSupport/CurrentAttributes.html): Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
-- [Callbacks](https://api.rubyonrails.org/classes/ActiveRecord/Callbacks.html): We use callbacks to send emails after changing an email or password.
 - [Action mailer](https://api.rubyonrails.org/classes/ActionMailer/Base.html): Action Mailer allows you to send email from your application using a mailer model and views.
 - [Log filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
 - [Functional Tests](https://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers): In Rails, testing the various actions of a controller is a form of writing functional tests.
@@ -56,19 +54,23 @@ Add these lines to your `app/views/home/index.html.erb`:
 <p>Signed as <%= Current.user.email %></p>
+<div>
+  <%= link_to "Change password", edit_passwords_path %>
+</div>
 <div>
   <%= link_to "Change email", edit_emails_path %>
 </div>
 <div>
-  <%= link_to "Change password", edit_passwords_path %>
+  <%= link_to "Manage Sessions", sessions_path %>
 </div>
 <div>
   <%= link_to "Cancel my account & delete my data", new_cancellations_path %>
 </div>
-<%= button_to "Log out", sign_out_path, method: :delete %>
+<%= button_to "Log out", Current.session, method: :delete %>
 ```
 And you'll need to set up the default URL options for the mailer in each environment. Here is a possible configuration for `config/environments/development.rb`:

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "1.0.2"
+  VERSION = "2.1.1"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 require "rails/generators/active_record"
 class AuthenticationGenerator < Rails::Generators::NamedBase
+  include ActiveRecord::Generators::Migration
   class_option :api, type: :boolean, desc: "Generates API authentication"
   class_option :migration, type: :boolean, default: true
@@ -18,14 +20,16 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     uncomment_lines "Gemfile", /bcrypt/
   end
-  def create_migration
+  def create_migrations
     if options.migration
-      invoke "migration", ["create_#{table_name}", "email:string:uniq", "password:digest", "session_token:string:uniq"]
+      migration_template "migrations/create_table_migration.rb", "#{db_migrate_path}/create_#{table_name}.rb"
+      migration_template "migrations/create_sessions_migration.rb", "#{db_migrate_path}/create_sessions.rb"
     end
   end
   def create_models
     template "models/model.rb", "app/models/#{file_name}.rb"
+    template "models/session.rb", "app/models/session.rb"
     template "models/current.rb", "app/models/current.rb"
   end
@@ -34,6 +38,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def create_fixture_file
     if options.fixture && options.fixture_replacement.nil?
       template "#{test_framework}/fixtures.yml", "test/fixtures/#{fixture_file_name}.yml"
+      template "#{test_framework}/sessions.yml", "test/fixtures/sessions.yml"
     end
   end
@@ -45,8 +50,10 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       private
         def authenticate
-          authenticate_or_request_with_http_token do |token, _options|
-            Current.#{singular_table_name} = #{class_name}.find_signed_session_token(token)
+          if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
+            Current.session = session
+          else
+            request_http_token_authentication
           end
         end
     CODE
@@ -56,10 +63,10 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       private
         def authenticate
-          if #{singular_table_name} = #{class_name}.find_by_session_token(cookies.signed[:session_token])
-            Current.#{singular_table_name} = #{singular_table_name}
+          if session = Session.find_by_id(cookies.signed[:session_token])
+            Current.session = session
           else
-            redirect_to sign_in_path, alert: "You need to sign in or sign up before continuing"
+            redirect_to sign_in_path
           end
         end
     CODE
@@ -74,7 +81,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def create_views
     if options.api
-      directory "erb/email_mailer", "app/views/email_mailer"
+      directory "erb/session_mailer", "app/views/session_mailer"
       directory "erb/password_mailer", "app/views/password_mailer"
     else
       directory "#{template_engine}", "app/views"
@@ -87,11 +94,11 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def add_routes
     unless options.skip_routes
-      route "resource :password_resets, only: [:new, :edit, :create, :update]"
-      route "resource :cancellations, only: [:new, :create]"
-      route "resource :passwords, only: [:edit, :update]"
-      route "resource :emails, only: [:edit, :update]"
-      route "delete 'sign_out', to: 'sessions#destroy'"
+      route "resource :password_reset, only: [:new, :edit, :create, :update]"
+      route "resource :cancellation, only: [:new, :create]"
+      route "resource :password, only: [:edit, :update]"
+      route "resource :email, only: [:edit, :update]"
+      route "resources :sessions, only: [:index, :show, :destroy]"
       route "post 'sign_up', to: 'registrations#create'"
       route "get 'sign_up', to: 'registrations#new'" unless options.api?
       route "post 'sign_in', to: 'sessions#create'"

data/lib/generators/authentication/templates/controllers/api/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,11 +1,7 @@
 class PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-  before_action :set_<%= singular_table_name %>, only: %i[ edit update ]
-  def edit
-    render json: { error: "Open this link in your device" }, status: :not_found
-  end
+  before_action :set_<%= singular_table_name %>, only: :update
   def create
     if @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])

data/lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt CHANGED Viewed

@@ -1,17 +1,39 @@
 class SessionsController < ApplicationController
-  skip_before_action :authenticate, except: :destroy
+  skip_before_action :authenticate, only: :create
+  before_action :set_session, only: %i[ show destroy ]
+  def index
+    render json: Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
+  def show
+    render json: @session
+  end
   def create
     @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
     if @<%= singular_table_name %>.try(:authenticate, params[:password])
-      render json: { session_token: @<%= singular_table_name %>.signed_session_token }, status: :ok
+      session = @<%= singular_table_name %>.sessions.create!(session_params)
+      response.set_header("X-Session-Token", session.signed_id)
+      render json: session, status: :created
     else
-      render json: { error: "Invalid email or password" }, status: :unauthorized
+      render json: { error: "That email or password is incorrect" }, status: :unauthorized
     end
   end
   def destroy
-    Current.<%= singular_table_name %>.regenerate_session_token
+    @session.destroy
   end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+    def session_params
+      { user_agent: request.user_agent, ip_address: request.remote_ip }
+    end
 end

data/lib/generators/authentication/templates/controllers/html/cancellations_controller.rb.tt CHANGED Viewed

@@ -4,6 +4,6 @@ class CancellationsController < ApplicationController
   def create
     Current.<%= singular_table_name %>.destroy
-    redirect_to sign_in_path, notice: "Bye! Your account has been successfully cancelled"
+    redirect_to sign_in_path, notice: "Your account is closed"
   end
 end

data/lib/generators/authentication/templates/controllers/html/emails_controller.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class EmailsController < ApplicationController
   def update
     if !@<%= singular_table_name %>.authenticate(params[:current_password])
-      redirect_to edit_emails_path, alert: "The current password you entered is incorrect"
+      redirect_to edit_email_path, alert: "The current password you entered is incorrect"
     elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
-      redirect_to root_path, notice: "Your email has been changed successfully"
+      redirect_to root_path, notice: "Your email has been changed"
     else
       render :edit, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/password_resets_controller.rb.tt CHANGED Viewed

@@ -12,9 +12,9 @@ class PasswordResetsController < ApplicationController
   def create
     if @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
       PasswordMailer.with(<%= singular_table_name %>: @<%= singular_table_name %>).reset.deliver_later
-      redirect_to sign_in_path, notice: "You will receive an email with instructions on how to reset your password in a few minutes"
+      redirect_to sign_in_path, notice: "Check your email for reset instructions"
     else
-      redirect_to new_password_resets_path, alert: "Sorry, we didn't recognize that email address"
+      redirect_to new_password_reset_path, alert: "Sorry, we didn't recognize that email address"
     end
   end
@@ -30,7 +30,7 @@ class PasswordResetsController < ApplicationController
     def set_<%= singular_table_name %>
       @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :password_reset)
     rescue ActiveSupport::MessageVerifier::InvalidSignature
-      redirect_to new_password_resets_path, alert: "Your token has expired, please request a new one"
+      redirect_to new_password_reset_path, alert: "Your token has expired, please request a new one"
     end
     def <%= "#{singular_table_name}_params" %>

data/lib/generators/authentication/templates/controllers/html/passwords_controller.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class PasswordsController < ApplicationController
   def update
     if !@<%= singular_table_name %>.authenticate(params[:current_password])
-      redirect_to edit_passwords_path, alert: "The current password you entered is incorrect"
+      redirect_to edit_password_path, alert: "The current password you entered is incorrect"
     elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
-      redirect_to root_path, notice: "Your password has been changed successfully"
+      redirect_to root_path, notice: "Your password has been changed"
     else
       render :edit, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/registrations_controller.rb.tt CHANGED Viewed

@@ -9,8 +9,7 @@ class RegistrationsController < ApplicationController
     @<%= singular_table_name %> = <%= class_name %>.new(<%= "#{singular_table_name}_params" %>)
     if @<%= singular_table_name %>.save
-      cookies.signed[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      redirect_to root_path, notice: "Welcome! You have signed up successfully"
+      redirect_to sign_in_path, notice: "Welcome! You have signed up successfully"
     else
       render :new, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt CHANGED Viewed

@@ -1,5 +1,11 @@
 class SessionsController < ApplicationController
-  skip_before_action :authenticate, except: :destroy
+  skip_before_action :authenticate, only: %i[ new create ]
+  before_action :set_session, only: :destroy
+  def index
+    @sessions = Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
   def new
     @<%= singular_table_name %> = <%= class_name %>.new
@@ -9,20 +15,26 @@ class SessionsController < ApplicationController
     @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
     if @<%= singular_table_name %>.try(:authenticate, params[:password])
-      if params[:remember_me] == "1"
-        cookies.signed.permanent[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      else
-        cookies.signed[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      end
+      @session = @<%= singular_table_name %>.sessions.create!(session_params)
+      cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
       redirect_to root_path, notice: "Signed in successfully"
     else
-      redirect_to sign_in_path(email_hint: params[:email]), alert: "Invalid email or password"
+      redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
     end
   end
   def destroy
-    Current.<%= singular_table_name %>.regenerate_session_token
-    redirect_to sign_in_path, notice: "Signed out successfully"
+    @session.destroy
+    redirect_to sessions_path, notice: "That session has been logged out"
   end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+    def session_params
+      { user_agent: request.user_agent, ip_address: request.remote_ip }
+    end
 end

data/lib/generators/authentication/templates/erb/cancellations/new.html.erb.tt CHANGED Viewed

@@ -7,5 +7,5 @@
 <br>
 <div>
-  <%%= button_to "OK, close my account", cancellations_path %>
+  <%%= button_to "OK, close my account", cancellation_path %>
 </div>

data/lib/generators/authentication/templates/erb/emails/edit.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Change your email</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: emails_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: email_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/password_mailer/reset.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <p>Can't remember your password for <strong><%%= params[:<%= singular_table_name %>].email %></strong>? That's OK, it happens. Just hit the link below to set a new one.</p>
-<p><%%= link_to "Reset my password", edit_password_resets_url(token: @signed_id) %></p>
+<p><%%= link_to "Reset my password", edit_password_reset_url(token: @signed_id) %></p>
 <p>If you did not request a password reset you can safely ignore this email, it expires in 20 minutes. Only someone with access to this email account can reset your password.</p>

data/lib/generators/authentication/templates/erb/password_mailer/reset.text.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@ Hey there,
 Can't remember your password for <%%= params[:<%= singular_table_name %>].email %>? That's OK, it happens. Just hit the link below to set a new one.
-[Reset my password]<%%= edit_password_resets_url(token: @signed_id) %>
+[Reset my password]<%%= edit_password_reset_url(token: @signed_id) %>
 If you did not request a password reset you can safely ignore this email, it expires in 20 minutes. Only someone with access to this email account can reset your password.

data/lib/generators/authentication/templates/erb/password_resets/edit.html.erb.tt CHANGED Viewed

@@ -1,6 +1,6 @@
 <h1>Reset your password</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: password_resets_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: password_reset_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/password_resets/new.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Forgot your password?</h1>
-<%%= form_with(url: password_resets_path) do |form| %>
+<%%= form_with(url: password_reset_path) do |form| %>
   <div>
     <%%= form.label :email, style: "display: block" %>
     <%%= form.email_field :email, autofocus: true, required: true %>

data/lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Change your password</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: passwords_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: password_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/session_mailer/signed_in.html.erb.tt ADDED Viewed

@@ -0,0 +1,21 @@
+<p>Hey there,</p>
+<p>A new device just signed in to your account (<%%= @session.<%= singular_table_name %>.email %>).</p>
+<p>
+  <strong><%%= @session.user_agent %></strong>
+  <br>
+  <%%= @session.created_at %>
+  <br>
+  IP address: <%%= @session.ip_address %>
+</p>
+<p><strong>If this was you, carry on.</strong> We won't notify you about sign-ins from this device again.</p>
+<p><strong>If you don't recognize this device</strong>, someone else may have accessed your account. You should immediately <%%= link_to "change your password", new_password_reset_url %>.</p>
+<p><strong>Tip:</strong> It's a good idea to periodically review all of the <%%= link_to "devices and sessions", sessions_url %> in your account for suspicious activity.</p>
+<hr>
+<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.</p>

data/lib/generators/authentication/templates/erb/session_mailer/signed_in.text.erb.tt ADDED Viewed

@@ -0,0 +1,17 @@
+Hey there,
+A new device just signed in to your account (<%%= @session.<%= singular_table_name %>.email %>).
+<%%= @session.user_agent %>
+<%%= @session.created_at %>
+<%%= @session.ip_address %>
+If this was you, carry on. We won't notify you about sign-ins from this device again.
+If you don't recognize this device, someone else may have accessed your account. You should immediately [change your password]<%%= new_password_reset_url %>.
+Tip: It's a good idea to periodically review all of the [devices and sessions]<%%= sessions_url %> in your account for suspicious activity.
+<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.

data/lib/generators/authentication/templates/erb/sessions/index.html.erb.tt ADDED Viewed

@@ -0,0 +1,34 @@
+<p style="color: green"><%%= notice %></p>
+<h1>Sessions</h1>
+<div id="sessions">
+  <%% @sessions.each do |session| %>
+    <div id="<%%= dom_id session %>">
+      <p>
+        <strong>User Agent:</strong>
+        <%%= session.user_agent %>
+      </p>
+      <p>
+        <strong>Ip Address:</strong>
+        <%%= session.ip_address %>
+      </p>
+      <p>
+        <strong>Created at:</strong>
+        <%%= session.created_at %>
+      </p>
+    </div>
+    <p>
+      <%%= button_to "Log out", session, method: :delete %>
+    </p>
+  <%% end %>
+</div>
+<br>
+<div>
+  <%%= link_to "Back", root_path %>
+</div>

data/lib/generators/authentication/templates/erb/sessions/new.html.erb.tt CHANGED Viewed

@@ -14,11 +14,6 @@
     <%%= form.password_field :password, required: true, autocomplete: "current-password" %>
   </div>
-  <div>
-    <%%= form.check_box :remember_me %>
-    <%%= form.label :remember_me %>
-  </div>
   <div>
     <%%= form.submit "Sign in" %>
   </div>
@@ -28,5 +23,5 @@
 <div>
   <%%= link_to "Sign up", sign_up_path %> |
-  <%%= link_to "Forgot your password?", new_password_resets_path %>
+  <%%= link_to "Forgot your password?", new_password_reset_path %>
 </div>

data/lib/generators/authentication/templates/mailers/password_mailer.rb.tt CHANGED Viewed

@@ -1,10 +1,6 @@
 class PasswordMailer < ApplicationMailer
-  def changed
-    mail to: params[:<%= singular_table_name %>].email
-  end
   def reset
     @signed_id = params[:<%= singular_table_name %>].signed_id(purpose: :password_reset, expires_in: 20.minutes)
-    mail to: params[:<%= singular_table_name %>].email
+    mail to: params[:<%= singular_table_name %>].email, subject: "Reset your password"
   end
 end

data/lib/generators/authentication/templates/mailers/session_mailer.rb.tt ADDED Viewed

@@ -0,0 +1,6 @@
+class SessionMailer < ApplicationMailer
+  def signed_in
+    @session = params[:session]
+    mail to: @session.<%= singular_table_name %>.email, subject: "New sign-in to your account"
+  end
+end

data/lib/generators/authentication/templates/migrations/create_sessions_migration.rb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :sessions do |t|
+      t.references :<%= singular_table_name %>, null: false, foreign_key: true
+      t.string :user_agent
+      t.string :ip_address
+      t.timestamps
+    end
+  end
+end

data/lib/generators/authentication/templates/migrations/create_table_migration.rb.tt ADDED Viewed

@@ -0,0 +1,12 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :<%= table_name %> do |t|
+      t.string :email, null: false
+      t.string :password_digest, null: false
+      t.timestamps
+    end
+    add_index :<%= table_name %>, :email, unique: true
+  end
+end

data/lib/generators/authentication/templates/models/current.rb.tt CHANGED Viewed

@@ -1,3 +1,7 @@
 class Current < ActiveSupport::CurrentAttributes
-  attribute :<%= singular_table_name %>
+  attribute :session, :<%= singular_table_name %>
+  def session=(session)
+    super; Current.<%= singular_table_name %> = session.<%= singular_table_name %>
+  end
 end

data/lib/generators/authentication/templates/models/model.rb.tt CHANGED Viewed

@@ -1,7 +1,8 @@
 class <%= class_name %> < ApplicationRecord
-  has_secure_token :session_token
   has_secure_password
+  has_many :sessions, dependent: :destroy
   validates :email, presence: true, uniqueness: true
   validates :email, format: { with: /\A[^@\s]+@[^@\s]+\z/ }
   validates_length_of :password, minimum: 8, allow_blank: true
@@ -9,31 +10,4 @@ class <%= class_name %> < ApplicationRecord
   before_validation do
     self.email = email.downcase.strip
   end
-  after_update_commit do
-    if self.email_previously_changed?
-      EmailMailer.with(change: self.email_previous_change).changed.deliver_later
-    end
-  end
-  after_update_commit do
-    if self.password_digest_previously_changed?
-      PasswordMailer.with(<%= singular_table_name %>: self).changed.deliver_later
-    end
-  end
-<% if options.api? %>
-  def signed_session_token
-    Rails.application.message_verifier(:session_token).generate(session_token)
-  end
-  def self.find_signed_session_token(signed_session_token)
-    if session_token = Rails.application.message_verifier(:session_token).verified(signed_session_token)
-      find_by_session_token(session_token)
-    end
-  end
-  def as_json(options = {})
-    super(options.merge(except: [:password_digest, :session_token]))
-  end
-<% end -%>
 end

data/lib/generators/authentication/templates/models/session.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class Session < ApplicationRecord
+  belongs_to :<%= singular_table_name %>
+  after_create_commit do
+    SessionMailer.with(session: self).signed_in.deliver_later
+  end
+end

data/lib/generators/authentication/templates/test_unit/controllers/api/cancellations_controller_test.rb.tt CHANGED Viewed

@@ -7,7 +7,7 @@ class CancellationsControllerTest < ActionDispatch::IntegrationTest
   test "should create cancellation" do
     assert_difference("<%= class_name %>.count", -1) do
-      post cancellations_url, headers: { "Authorization" => "Bearer #{@token}" }
+      post cancellation_url, headers: { "Authorization" => "Bearer #{@token}" }
     end
     assert_response :no_content
@@ -15,6 +15,6 @@ class CancellationsControllerTest < ActionDispatch::IntegrationTest
   def sign_in_as(<%= singular_table_name %>)
     post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "secret123" })
-    [<%= singular_table_name %>, response.parsed_body["session_token"]]
-  end
+    [<%= singular_table_name %>, response.headers["X-Session-Token"]]
+  end
 end