RubyGems - authentication-zero - Versions diffs - 1.0.2 → 2.1.1 - Mend

authentication-zero 1.0.2 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c038ff0229826dcb0ef7416e95f41ef7e18a01a7e5993a3995eb992c2a21a44a
-  data.tar.gz: 6295fb855b41a0ea8242916c18c40686f41d6f32e83fe66ed8922fe3b2c24ee7
+  metadata.gz: 44c36959694f55d09ae33d82d3dbe2091a49372c4792eda84bfddf94c62b636c
+  data.tar.gz: 9d4b642209fe681865973ad1a5b13bd8bba1bf63140ae49acfe25923ce085514
 SHA512:
-  metadata.gz: fbbbb3287c24e23260ca3ad7adcc206c864f02843c255c111b6c1f06fd822581db35c522358dfa60a626e83bb2eb0f8494274847185a122f9cd90726c94ae2cf
-  data.tar.gz: fb427adb9595073f03b76bba0683cafd5ce9a699b25d79bbd4df2902abc7f4643f326a4b25c017ce6ab98b7e21d69d0532539aaeec8a018c3d69b7fd597f4d81
+  metadata.gz: cbc64b8248e0bf392983bb19a3034b76471dc54511cb7ffee7ed122bb3c7f1424ec4211b11b5d0026395d622c1e6d6b35c3be09710f5617f45db2daece00ec49
+  data.tar.gz: f3ccd41d8f2c417918cf65c7124fc597355d07bc96ba509bba12174d5161df33b2434a3af76a67f2e23de020f7cec549fc8a326619643373e4c05eb1b799c4bd

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (1.0.2)
+    authentication-zero (2.1.1)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -4,26 +4,24 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 ## Features
+- **Simplest code ever**
 - Sign up
 - Email and password validations
 - Reset the user password and send reset instructions
 - Authentication by cookie (html)
 - Authentication by token (api)
-- Remember me (html)
-- Send e-mail when email is changed
-- Send e-mail when password is changed
+- Send e-mail when sign-in to your account
+- Manage multiple sessions
 - Cancel my account
 - Log out
 ## Security and best practices
 - [has_secure_password](https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/ClassMethods.html#method-i-has_secure_password): Adds methods to set and authenticate against a BCrypt password.
-- [has_secure_token](https://api.rubyonrails.org/classes/ActiveRecord/SecureToken/ClassMethods.html#method-i-has_secure_token): Adds methods to generate unique tokens.
 - [signed cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from the cookie again.
 - [httponly cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html): A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
 - [signed_id](https://api.rubyonrails.org/classes/ActiveRecord/SignedId.html): Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
 - [Current attributes](https://api.rubyonrails.org/classes/ActiveSupport/CurrentAttributes.html): Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
-- [Callbacks](https://api.rubyonrails.org/classes/ActiveRecord/Callbacks.html): We use callbacks to send emails after changing an email or password.
 - [Action mailer](https://api.rubyonrails.org/classes/ActionMailer/Base.html): Action Mailer allows you to send email from your application using a mailer model and views.
 - [Log filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
 - [Functional Tests](https://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers): In Rails, testing the various actions of a controller is a form of writing functional tests.
@@ -56,19 +54,23 @@ Add these lines to your `app/views/home/index.html.erb`:
 <p>Signed as <%= Current.user.email %></p>
+<div>
+  <%= link_to "Change password", edit_passwords_path %>
+</div>
 <div>
   <%= link_to "Change email", edit_emails_path %>
 </div>
 <div>
-  <%= link_to "Change password", edit_passwords_path %>
+  <%= link_to "Manage Sessions", sessions_path %>
 </div>
 <div>
   <%= link_to "Cancel my account & delete my data", new_cancellations_path %>
 </div>
-<%= button_to "Log out", sign_out_path, method: :delete %>
+<%= button_to "Log out", Current.session, method: :delete %>
 ```
 And you'll need to set up the default URL options for the mailer in each environment. Here is a possible configuration for `config/environments/development.rb`:

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "1.0.2"
+  VERSION = "2.1.1"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 require "rails/generators/active_record"
 class AuthenticationGenerator < Rails::Generators::NamedBase
+  include ActiveRecord::Generators::Migration
   class_option :api, type: :boolean, desc: "Generates API authentication"
   class_option :migration, type: :boolean, default: true
@@ -18,14 +20,16 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     uncomment_lines "Gemfile", /bcrypt/
   end
-  def create_migration
+  def create_migrations
     if options.migration
-      invoke "migration", ["create_#{table_name}", "email:string:uniq", "password:digest", "session_token:string:uniq"]
+      migration_template "migrations/create_table_migration.rb", "#{db_migrate_path}/create_#{table_name}.rb"
+      migration_template "migrations/create_sessions_migration.rb", "#{db_migrate_path}/create_sessions.rb"
     end
   end
   def create_models
     template "models/model.rb", "app/models/#{file_name}.rb"
+    template "models/session.rb", "app/models/session.rb"
     template "models/current.rb", "app/models/current.rb"
   end
@@ -34,6 +38,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def create_fixture_file
     if options.fixture && options.fixture_replacement.nil?
       template "#{test_framework}/fixtures.yml", "test/fixtures/#{fixture_file_name}.yml"
+      template "#{test_framework}/sessions.yml", "test/fixtures/sessions.yml"
     end
   end
@@ -45,8 +50,10 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       private
         def authenticate
-          authenticate_or_request_with_http_token do |token, _options|
-            Current.#{singular_table_name} = #{class_name}.find_signed_session_token(token)
+          if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
+            Current.session = session
+          else
+            request_http_token_authentication
           end
         end
     CODE
@@ -56,10 +63,10 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       private
         def authenticate
-          if #{singular_table_name} = #{class_name}.find_by_session_token(cookies.signed[:session_token])
-            Current.#{singular_table_name} = #{singular_table_name}
+          if session = Session.find_by_id(cookies.signed[:session_token])
+            Current.session = session
           else
-            redirect_to sign_in_path, alert: "You need to sign in or sign up before continuing"
+            redirect_to sign_in_path
           end
         end
     CODE
@@ -74,7 +81,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def create_views
     if options.api
-      directory "erb/email_mailer", "app/views/email_mailer"
+      directory "erb/session_mailer", "app/views/session_mailer"
       directory "erb/password_mailer", "app/views/password_mailer"
     else
       directory "#{template_engine}", "app/views"
@@ -87,11 +94,11 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def add_routes
     unless options.skip_routes
-      route "resource :password_resets, only: [:new, :edit, :create, :update]"
-      route "resource :cancellations, only: [:new, :create]"
-      route "resource :passwords, only: [:edit, :update]"
-      route "resource :emails, only: [:edit, :update]"
-      route "delete 'sign_out', to: 'sessions#destroy'"
+      route "resource :password_reset, only: [:new, :edit, :create, :update]"
+      route "resource :cancellation, only: [:new, :create]"
+      route "resource :password, only: [:edit, :update]"
+      route "resource :email, only: [:edit, :update]"
+      route "resources :sessions, only: [:index, :show, :destroy]"
       route "post 'sign_up', to: 'registrations#create'"
       route "get 'sign_up', to: 'registrations#new'" unless options.api?
       route "post 'sign_in', to: 'sessions#create'"

data/lib/generators/authentication/templates/controllers/api/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,11 +1,7 @@
 class PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-  before_action :set_<%= singular_table_name %>, only: %i[ edit update ]
-  def edit
-    render json: { error: "Open this link in your device" }, status: :not_found
-  end
+  before_action :set_<%= singular_table_name %>, only: :update
   def create
     if @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])

data/lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt CHANGED Viewed

@@ -1,17 +1,39 @@
 class SessionsController < ApplicationController
-  skip_before_action :authenticate, except: :destroy
+  skip_before_action :authenticate, only: :create
+  before_action :set_session, only: %i[ show destroy ]
+  def index
+    render json: Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
+  def show
+    render json: @session
+  end
   def create
     @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
     if @<%= singular_table_name %>.try(:authenticate, params[:password])
-      render json: { session_token: @<%= singular_table_name %>.signed_session_token }, status: :ok
+      session = @<%= singular_table_name %>.sessions.create!(session_params)
+      response.set_header("X-Session-Token", session.signed_id)
+      render json: session, status: :created
     else
-      render json: { error: "Invalid email or password" }, status: :unauthorized
+      render json: { error: "That email or password is incorrect" }, status: :unauthorized
     end
   end
   def destroy
-    Current.<%= singular_table_name %>.regenerate_session_token
+    @session.destroy
   end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+    def session_params
+      { user_agent: request.user_agent, ip_address: request.remote_ip }
+    end
 end

data/lib/generators/authentication/templates/controllers/html/cancellations_controller.rb.tt CHANGED Viewed

@@ -4,6 +4,6 @@ class CancellationsController < ApplicationController
   def create
     Current.<%= singular_table_name %>.destroy
-    redirect_to sign_in_path, notice: "Bye! Your account has been successfully cancelled"
+    redirect_to sign_in_path, notice: "Your account is closed"
   end
 end

data/lib/generators/authentication/templates/controllers/html/emails_controller.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class EmailsController < ApplicationController
   def update
     if !@<%= singular_table_name %>.authenticate(params[:current_password])
-      redirect_to edit_emails_path, alert: "The current password you entered is incorrect"
+      redirect_to edit_email_path, alert: "The current password you entered is incorrect"
     elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
-      redirect_to root_path, notice: "Your email has been changed successfully"
+      redirect_to root_path, notice: "Your email has been changed"
     else
       render :edit, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/password_resets_controller.rb.tt CHANGED Viewed

@@ -12,9 +12,9 @@ class PasswordResetsController < ApplicationController
   def create
     if @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
       PasswordMailer.with(<%= singular_table_name %>: @<%= singular_table_name %>).reset.deliver_later
-      redirect_to sign_in_path, notice: "You will receive an email with instructions on how to reset your password in a few minutes"
+      redirect_to sign_in_path, notice: "Check your email for reset instructions"
     else
-      redirect_to new_password_resets_path, alert: "Sorry, we didn't recognize that email address"
+      redirect_to new_password_reset_path, alert: "Sorry, we didn't recognize that email address"
     end
   end
@@ -30,7 +30,7 @@ class PasswordResetsController < ApplicationController
     def set_<%= singular_table_name %>
       @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :password_reset)
     rescue ActiveSupport::MessageVerifier::InvalidSignature
-      redirect_to new_password_resets_path, alert: "Your token has expired, please request a new one"
+      redirect_to new_password_reset_path, alert: "Your token has expired, please request a new one"
     end
     def <%= "#{singular_table_name}_params" %>

data/lib/generators/authentication/templates/controllers/html/passwords_controller.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class PasswordsController < ApplicationController
   def update
     if !@<%= singular_table_name %>.authenticate(params[:current_password])
-      redirect_to edit_passwords_path, alert: "The current password you entered is incorrect"
+      redirect_to edit_password_path, alert: "The current password you entered is incorrect"
     elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
-      redirect_to root_path, notice: "Your password has been changed successfully"
+      redirect_to root_path, notice: "Your password has been changed"
     else
       render :edit, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/registrations_controller.rb.tt CHANGED Viewed

@@ -9,8 +9,7 @@ class RegistrationsController < ApplicationController
     @<%= singular_table_name %> = <%= class_name %>.new(<%= "#{singular_table_name}_params" %>)
     if @<%= singular_table_name %>.save
-      cookies.signed[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      redirect_to root_path, notice: "Welcome! You have signed up successfully"
+      redirect_to sign_in_path, notice: "Welcome! You have signed up successfully"
     else
       render :new, status: :unprocessable_entity
     end

data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt CHANGED Viewed

@@ -1,5 +1,11 @@
 class SessionsController < ApplicationController
-  skip_before_action :authenticate, except: :destroy
+  skip_before_action :authenticate, only: %i[ new create ]
+  before_action :set_session, only: :destroy
+  def index
+    @sessions = Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
   def new
     @<%= singular_table_name %> = <%= class_name %>.new
@@ -9,20 +15,26 @@ class SessionsController < ApplicationController
     @<%= singular_table_name %> = <%= class_name %>.find_by_email(params[:email])
     if @<%= singular_table_name %>.try(:authenticate, params[:password])
-      if params[:remember_me] == "1"
-        cookies.signed.permanent[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      else
-        cookies.signed[:session_token] = { value: @<%= singular_table_name %>.session_token, httponly: true }
-      end
+      @session = @<%= singular_table_name %>.sessions.create!(session_params)
+      cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
       redirect_to root_path, notice: "Signed in successfully"
     else
-      redirect_to sign_in_path(email_hint: params[:email]), alert: "Invalid email or password"
+      redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
     end
   end
   def destroy
-    Current.<%= singular_table_name %>.regenerate_session_token
-    redirect_to sign_in_path, notice: "Signed out successfully"
+    @session.destroy
+    redirect_to sessions_path, notice: "That session has been logged out"
   end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+    def session_params
+      { user_agent: request.user_agent, ip_address: request.remote_ip }
+    end
 end

data/lib/generators/authentication/templates/erb/cancellations/new.html.erb.tt CHANGED Viewed

@@ -7,5 +7,5 @@
 <br>
 <div>
-  <%%= button_to "OK, close my account", cancellations_path %>
+  <%%= button_to "OK, close my account", cancellation_path %>
 </div>

data/lib/generators/authentication/templates/erb/emails/edit.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Change your email</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: emails_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: email_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/password_mailer/reset.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <p>Can't remember your password for <strong><%%= params[:<%= singular_table_name %>].email %></strong>? That's OK, it happens. Just hit the link below to set a new one.</p>
-<p><%%= link_to "Reset my password", edit_password_resets_url(token: @signed_id) %></p>
+<p><%%= link_to "Reset my password", edit_password_reset_url(token: @signed_id) %></p>
 <p>If you did not request a password reset you can safely ignore this email, it expires in 20 minutes. Only someone with access to this email account can reset your password.</p>

data/lib/generators/authentication/templates/erb/password_mailer/reset.text.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@ Hey there,
 Can't remember your password for <%%= params[:<%= singular_table_name %>].email %>? That's OK, it happens. Just hit the link below to set a new one.
-[Reset my password]<%%= edit_password_resets_url(token: @signed_id) %>
+[Reset my password]<%%= edit_password_reset_url(token: @signed_id) %>
 If you did not request a password reset you can safely ignore this email, it expires in 20 minutes. Only someone with access to this email account can reset your password.

data/lib/generators/authentication/templates/erb/password_resets/edit.html.erb.tt CHANGED Viewed

@@ -1,6 +1,6 @@
 <h1>Reset your password</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: password_resets_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: password_reset_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/password_resets/new.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Forgot your password?</h1>
-<%%= form_with(url: password_resets_path) do |form| %>
+<%%= form_with(url: password_reset_path) do |form| %>
   <div>
     <%%= form.label :email, style: "display: block" %>
     <%%= form.email_field :email, autofocus: true, required: true %>

data/lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt CHANGED Viewed

@@ -2,7 +2,7 @@
 <h1>Change your password</h1>
-<%%= form_with(model: @<%= model_resource_name %>, url: passwords_path) do |form| %>
+<%%= form_with(model: @<%= model_resource_name %>, url: password_path) do |form| %>
   <%% if @<%= singular_table_name %>.errors.any? %>
     <div style="color: red">
       <h2><%%= pluralize(@<%= singular_table_name %>.errors.count, "error") %> prohibited this <%= singular_table_name %> from being saved:</h2>

data/lib/generators/authentication/templates/erb/session_mailer/signed_in.html.erb.tt ADDED Viewed

@@ -0,0 +1,21 @@
+<p>Hey there,</p>
+<p>A new device just signed in to your account (<%%= @session.<%= singular_table_name %>.email %>).</p>
+<p>
+  <strong><%%= @session.user_agent %></strong>
+  <br>
+  <%%= @session.created_at %>
+  <br>
+  IP address: <%%= @session.ip_address %>
+</p>
+<p><strong>If this was you, carry on.</strong> We won't notify you about sign-ins from this device again.</p>
+<p><strong>If you don't recognize this device</strong>, someone else may have accessed your account. You should immediately <%%= link_to "change your password", new_password_reset_url %>.</p>
+<p><strong>Tip:</strong> It's a good idea to periodically review all of the <%%= link_to "devices and sessions", sessions_url %> in your account for suspicious activity.</p>
+<hr>
+<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.</p>

data/lib/generators/authentication/templates/erb/session_mailer/signed_in.text.erb.tt ADDED Viewed

@@ -0,0 +1,17 @@
+Hey there,
+A new device just signed in to your account (<%%= @session.<%= singular_table_name %>.email %>).
+<%%= @session.user_agent %>
+<%%= @session.created_at %>
+<%%= @session.ip_address %>
+If this was you, carry on. We won't notify you about sign-ins from this device again.
+If you don't recognize this device, someone else may have accessed your account. You should immediately [change your password]<%%= new_password_reset_url %>.
+Tip: It's a good idea to periodically review all of the [devices and sessions]<%%= sessions_url %> in your account for suspicious activity.
+<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.

data/lib/generators/authentication/templates/erb/sessions/index.html.erb.tt ADDED Viewed

@@ -0,0 +1,34 @@
+<p style="color: green"><%%= notice %></p>
+<h1>Sessions</h1>
+<div id="sessions">
+  <%% @sessions.each do |session| %>
+    <div id="<%%= dom_id session %>">
+      <p>
+        <strong>User Agent:</strong>
+        <%%= session.user_agent %>
+      </p>
+      <p>
+        <strong>Ip Address:</strong>
+        <%%= session.ip_address %>
+      </p>
+      <p>
+        <strong>Created at:</strong>
+        <%%= session.created_at %>
+      </p>
+    </div>
+    <p>
+      <%%= button_to "Log out", session, method: :delete %>
+    </p>
+  <%% end %>
+</div>
+<br>
+<div>
+  <%%= link_to "Back", root_path %>
+</div>

data/lib/generators/authentication/templates/erb/sessions/new.html.erb.tt CHANGED Viewed

@@ -14,11 +14,6 @@
     <%%= form.password_field :password, required: true, autocomplete: "current-password" %>
   </div>
-  <div>
-    <%%= form.check_box :remember_me %>
-    <%%= form.label :remember_me %>
-  </div>
   <div>
     <%%= form.submit "Sign in" %>
   </div>
@@ -28,5 +23,5 @@
 <div>
   <%%= link_to "Sign up", sign_up_path %> |
-  <%%= link_to "Forgot your password?", new_password_resets_path %>
+  <%%= link_to "Forgot your password?", new_password_reset_path %>
 </div>

data/lib/generators/authentication/templates/mailers/password_mailer.rb.tt CHANGED Viewed

@@ -1,10 +1,6 @@
 class PasswordMailer < ApplicationMailer
-  def changed
-    mail to: params[:<%= singular_table_name %>].email
-  end
   def reset
     @signed_id = params[:<%= singular_table_name %>].signed_id(purpose: :password_reset, expires_in: 20.minutes)
-    mail to: params[:<%= singular_table_name %>].email
+    mail to: params[:<%= singular_table_name %>].email, subject: "Reset your password"
   end
 end

data/lib/generators/authentication/templates/mailers/session_mailer.rb.tt ADDED Viewed

@@ -0,0 +1,6 @@
+class SessionMailer < ApplicationMailer
+  def signed_in
+    @session = params[:session]
+    mail to: @session.<%= singular_table_name %>.email, subject: "New sign-in to your account"
+  end
+end

data/lib/generators/authentication/templates/migrations/create_sessions_migration.rb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :sessions do |t|
+      t.references :<%= singular_table_name %>, null: false, foreign_key: true
+      t.string :user_agent
+      t.string :ip_address
+      t.timestamps
+    end
+  end
+end

data/lib/generators/authentication/templates/migrations/create_table_migration.rb.tt ADDED Viewed

@@ -0,0 +1,12 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :<%= table_name %> do |t|
+      t.string :email, null: false
+      t.string :password_digest, null: false
+      t.timestamps
+    end
+    add_index :<%= table_name %>, :email, unique: true
+  end
+end

data/lib/generators/authentication/templates/models/current.rb.tt CHANGED Viewed

@@ -1,3 +1,7 @@
 class Current < ActiveSupport::CurrentAttributes
-  attribute :<%= singular_table_name %>
+  attribute :session, :<%= singular_table_name %>
+  def session=(session)
+    super; Current.<%= singular_table_name %> = session.<%= singular_table_name %>
+  end
 end

data/lib/generators/authentication/templates/models/model.rb.tt CHANGED Viewed

@@ -1,7 +1,8 @@
 class <%= class_name %> < ApplicationRecord
-  has_secure_token :session_token
   has_secure_password
+  has_many :sessions, dependent: :destroy
   validates :email, presence: true, uniqueness: true
   validates :email, format: { with: /\A[^@\s]+@[^@\s]+\z/ }
   validates_length_of :password, minimum: 8, allow_blank: true
@@ -9,31 +10,4 @@ class <%= class_name %> < ApplicationRecord
   before_validation do
     self.email = email.downcase.strip
   end
-  after_update_commit do
-    if self.email_previously_changed?
-      EmailMailer.with(change: self.email_previous_change).changed.deliver_later
-    end
-  end
-  after_update_commit do
-    if self.password_digest_previously_changed?
-      PasswordMailer.with(<%= singular_table_name %>: self).changed.deliver_later
-    end
-  end
-<% if options.api? %>
-  def signed_session_token
-    Rails.application.message_verifier(:session_token).generate(session_token)
-  end
-  def self.find_signed_session_token(signed_session_token)
-    if session_token = Rails.application.message_verifier(:session_token).verified(signed_session_token)
-      find_by_session_token(session_token)
-    end
-  end
-  def as_json(options = {})
-    super(options.merge(except: [:password_digest, :session_token]))
-  end
-<% end -%>
 end

data/lib/generators/authentication/templates/models/session.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class Session < ApplicationRecord
+  belongs_to :<%= singular_table_name %>
+  after_create_commit do
+    SessionMailer.with(session: self).signed_in.deliver_later
+  end
+end

data/lib/generators/authentication/templates/test_unit/controllers/api/cancellations_controller_test.rb.tt CHANGED Viewed

@@ -7,7 +7,7 @@ class CancellationsControllerTest < ActionDispatch::IntegrationTest
   test "should create cancellation" do
     assert_difference("<%= class_name %>.count", -1) do
-      post cancellations_url, headers: { "Authorization" => "Bearer #{@token}" }
+      post cancellation_url, headers: { "Authorization" => "Bearer #{@token}" }
     end
     assert_response :no_content
@@ -15,6 +15,6 @@ class CancellationsControllerTest < ActionDispatch::IntegrationTest
   def sign_in_as(<%= singular_table_name %>)
     post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "secret123" })
-    [<%= singular_table_name %>, response.parsed_body["session_token"]]
-  end
+    [<%= singular_table_name %>, response.headers["X-Session-Token"]]
+  end
 end