authentication-zero 2.16.1 → 2.16.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7dd52b852437d965454115d4fbb2d80f6b97f04dbe0d77e8a4524a4fb6052a89
4
- data.tar.gz: 297f4bc57d8612d77c89eae113b558014f9b3b174eeebd13c2c6d73d78d7cad5
3
+ metadata.gz: 4a9f5862b8b603990471ab970d13cf934f73252c55a734a39a90198406066a75
4
+ data.tar.gz: d6bf9bda2ef8d19df6da9207e40e5621eb1157b2073921ff5dbee6ce00ff22a2
5
5
  SHA512:
6
- metadata.gz: e43b09a82b8a63605a3c7ddb2d139890c5bd5153db25b8c5a535f570cf796a12f1e2520add1231bf72d95b4821871c0da72adc21e6a09b4597e5e9e65db9407f
7
- data.tar.gz: d2d50163045d57ee8b87a0277b0f023d4d35d603637bc94bcae7c78f914afde8131ba725095627256fe93f77ca5484adb8b2247cf238b80bc3e57175db625b38
6
+ metadata.gz: 8ccdcba2c6dd5edf45b60acd1462ef02eb46bf4e4f9a9a0a7860a2e840ff18f58a1d655b2f9e7f3c45cc497aac04fc269ae86186df6cbdbfb70f46e51bc49db0
7
+ data.tar.gz: e70d3a8012378093f060dc5084089ed77c87d6cc271db810b624c588324797e7c1748bd1bc345a5d5dce2ff0f3e6cabab7ba1f20e3abc8d3e7e590c43a799844
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- authentication-zero (2.16.1)
4
+ authentication-zero (2.16.3)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -18,13 +18,12 @@ The purpose of authentication zero is to generate a pre-built authentication sys
18
18
  - Ask password before sensitive data changes, aka: sudo (--sudoable)
19
19
  - Reset the user password and send reset instructions
20
20
  - Reset the user password only from verified emails
21
- - Lock sending reset password email after many attempts (--lockable)
21
+ - Lock mechanism for resetting password and sign-in (--lockable)
22
22
  - Send e-mail confirmation when your email has been changed
23
23
  - Send e-mail notification when someone has logged into your account
24
24
  - Manage multiple sessions & devices
25
25
  - Activity log (--trackable)
26
26
  - Log out
27
- - [API documentation](https://github.com/lazaronixon/authentication-zero/blob/master/authentication-zero-api.md)
28
27
 
29
28
  ## Security and best practices
30
29
 
@@ -48,7 +47,6 @@ $ bundle add authentication-zero
48
47
 
49
48
  ```
50
49
  $ rails generate authentication
51
- $ bundle install
52
50
  ```
53
51
 
54
52
  ## Development
@@ -1,3 +1,3 @@
1
1
  module AuthenticationZero
2
- VERSION = "2.16.1"
2
+ VERSION = "2.16.3"
3
3
  end
@@ -15,9 +15,12 @@ class AuthenticationGenerator < Rails::Generators::Base
15
15
  source_root File.expand_path("templates", __dir__)
16
16
 
17
17
  def add_gems
18
- uncomment_lines "Gemfile", /"bcrypt"/
19
- uncomment_lines "Gemfile", /"redis"/ if redis?
20
- uncomment_lines "Gemfile", /"kredis"/ if redis?
18
+ gem "bcrypt", "~> 3.1.7", comment: "Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]"
19
+
20
+ if redis?
21
+ gem "redis", ">= 4.0.1", comment: "Use Redis adapter to run additional authentication features"
22
+ gem "kredis", comment: "Use Kredis to get higher-level data types in Redis [https://github.com/rails/kredis]"
23
+ end
21
24
 
22
25
  if options.pwned?
23
26
  gem "pwned", comment: "Use Pwned to check if a password has been found in any of the huge data breaches [https://github.com/philnash/pwned]"
@@ -26,5 +26,5 @@ class Identity::EmailVerificationsController < ApplicationController
26
26
  rescue
27
27
  render json: { error: "That email verification link is invalid" }, status: :bad_request
28
28
  <%- end -%>
29
- end
29
+ end
30
30
  end
@@ -1,6 +1,9 @@
1
1
  class SessionsController < ApplicationController
2
2
  skip_before_action :authenticate, only: :create
3
3
 
4
+ <%- if options.lockable? -%>
5
+ before_action :require_lock, only: :create
6
+ <%- end -%>
4
7
  before_action :set_session, only: %i[ show destroy ]
5
8
 
6
9
  def index
@@ -3,7 +3,11 @@ class ApplicationController < ActionController::Base
3
3
  before_action :authenticate
4
4
  <%- if options.sudoable? %>
5
5
  def require_sudo
6
+ <%- if omniauthable? -%>
7
+ unless Current.session.sudo? || Current.session.user.provider.present?
8
+ <%- else -%>
6
9
  unless Current.session.sudo?
10
+ <%- end -%>
7
11
  redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
8
12
  end
9
13
  end
@@ -5,11 +5,7 @@ class Sessions::SudosController < ApplicationController
5
5
  def create
6
6
  session = Current.session
7
7
 
8
- <%- if omniauthable? -%>
9
- if session.user.authenticate(params[:password]) || session.user.provider
10
- <%- else -%>
11
8
  if session.user.authenticate(params[:password])
12
- <%- end -%>
13
9
  session.sudo.mark; redirect_to(params[:proceed_to_url])
14
10
  else
15
11
  redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"
@@ -1,6 +1,9 @@
1
1
  class SessionsController < ApplicationController
2
2
  skip_before_action :authenticate, only: %i[ new create ]
3
3
 
4
+ <%- if options.lockable? -%>
5
+ before_action :require_lock, only: :create
6
+ <%- end -%>
4
7
  before_action :set_session, only: :destroy
5
8
 
6
9
  def index
@@ -14,19 +14,17 @@
14
14
  <div>
15
15
  <%%= link_to "Devices & Sessions", sessions_path %>
16
16
  </div>
17
-
18
- <%- if options.trackable? -%>
17
+ <%- if options.trackable? %>
19
18
  <div>
20
- <%# link_to "Activity Log", authentications_events_path %>
19
+ <%%= link_to "Activity Log", authentications_events_path %>
21
20
  </div>
22
-
23
21
  <%- end -%>
24
- <%- if two_factor? -%>
22
+ <%- if two_factor? %>
25
23
  <div>
26
- <%# link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
24
+ <%%= link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
27
25
  </div>
28
-
29
26
  <%- end -%>
27
+
30
28
  <br>
31
29
 
32
30
  <%%= button_to "Log out", Current.session, method: :delete %>
@@ -18,8 +18,7 @@
18
18
  <%%= form.submit "Sign in" %>
19
19
  </div>
20
20
  <%% end %>
21
-
22
- <%- if omniauthable? -%>
21
+ <%- if omniauthable? %>
23
22
  <div>
24
23
  <%%= button_to "Sign in with OmniAuth", "/auth/developer", "data-turbo" => false %>
25
24
  </div>
@@ -18,18 +18,17 @@ class User < ApplicationRecord
18
18
  validates :password, not_pwned: { message: "might easily be guessed" }
19
19
  <%- end -%>
20
20
 
21
- before_validation do
22
- self.email = email&.downcase&.strip
21
+ before_validation if: -> { email.present? } do
22
+ self.email = email.downcase.strip
23
23
  end
24
24
 
25
- before_validation if: -> { email_changed? && persisted? } do
25
+ before_validation if: :email_changed?, unless: :new_record? do
26
26
  self.verified = false
27
27
  end
28
28
 
29
29
  after_update if: :password_digest_previously_changed? do
30
30
  sessions.where.not(id: Current.session).destroy_all
31
31
  end
32
-
33
32
  <%- if options.trackable? %>
34
33
  after_update if: :email_previously_changed? do
35
34
  events.create! action: "email_verification_requested"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: authentication-zero
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.16.1
4
+ version: 2.16.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nixon
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-12-21 00:00:00.000000000 Z
11
+ date: 2023-01-05 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description:
14
14
  email:
@@ -29,7 +29,6 @@ files:
29
29
  - LICENSE.txt
30
30
  - README.md
31
31
  - Rakefile
32
- - authentication-zero-api.md
33
32
  - authentication-zero.gemspec
34
33
  - lib/authentication-zero.rb
35
34
  - lib/authentication_zero.rb
@@ -1,192 +0,0 @@
1
- # Authentication Zero API
2
-
3
- This document describe the api endpoints available in authentication-zero.
4
-
5
- ## Making a request
6
-
7
- To make a sign in request for example, append sign_in to the base URL to form something like http://localhost:3000/sign_in, also notice you have to include the Content-Type header and the JSON data: In cURL, it looks like this:
8
-
9
- ``` shell
10
- curl -H "Authorization: Bearer $ACCESS_TOKEN" \
11
- -H 'Content-Type: application/json' \
12
- -H 'User-Agent: MyApp (yourname@example.com)' \
13
- -d '{ "email": "lazaronixon@hotmail.com", "password": "secret", "password_confirmation": "secret" }' \
14
- http://localhost:3000/sign_in
15
- ```
16
-
17
- ## API endpoints
18
-
19
- - [Sign up](#sign-up)
20
- - [Sign in](#sign-in)
21
- - [Get your sessions](#get-your-sessions)
22
- - [Get a session](#get-a-session)
23
- - [Destroy a session](#destroy-a-session)
24
- - [Update your password](#update-your-password)
25
- - [Update your email](#update-your-email)
26
- - [Send verification email](#send-verification-email)
27
- - [Verify email](#verify-email)
28
- - [Send password reset email](#send-password-reset-email)
29
- - [Reset password](#reset-password)
30
-
31
- ## Registrations
32
-
33
- ### Sign up
34
-
35
- * `POST /sign_up` creates a user on database.
36
-
37
- ###### Example JSON Request
38
-
39
- ``` json
40
- {
41
- "email": "lazaronixon@hotmail.com",
42
- "password": "Secret1*2*3*4*5*6",
43
- "password_confirmation": "Secret1*2*3*4*5*6"
44
- }
45
- ```
46
-
47
- This endpoint will return `201 Created` with the current JSON representation of the user if the creation was a success.
48
-
49
- ## Sessions
50
-
51
- ### Sign in
52
-
53
- * `POST /sign_in` creates a session on database.
54
-
55
- ###### Example JSON Request
56
-
57
- ``` json
58
- {
59
- "email": "lazaronixon@hotmail.com",
60
- "password": "Secret1*2*3*4*5*6"
61
- }
62
- ```
63
-
64
- This endpoint will return `201 Created` with the current JSON representation of the session if the creation was a success, also you will receive a `X-Session-Token` that you will use as your authorization token.
65
-
66
-
67
- ### Get your sessions
68
-
69
- * `GET /sessions` will return a list of sessions.
70
-
71
- ###### Example JSON Response
72
-
73
- ``` json
74
- [
75
- {
76
- "id": 2,
77
- "user_id": 1,
78
- "user_agent": "insomnia/2022.1.0",
79
- "ip_address": "127.0.0.1",
80
- "created_at": "2022-03-04T17:20:33.632Z",
81
- "updated_at": "2022-03-04T17:20:33.632Z"
82
- },
83
- {
84
- "id": 1,
85
- "user_id": 1,
86
- "user_agent": "insomnia/2022.1.0",
87
- "ip_address": "127.0.0.1",
88
- "created_at": "2022-03-04T17:14:03.386Z",
89
- "updated_at": "2022-03-04T17:14:03.386Z"
90
- }
91
- ]
92
- ```
93
-
94
- ### Get a session
95
-
96
- * `GET /sessions/1` will return the session with an ID of 1.
97
-
98
- ###### Example JSON Response
99
-
100
- ``` json
101
- {
102
- "id": 1,
103
- "user_id": 1,
104
- "user_agent": "insomnia/2022.1.0",
105
- "ip_address": "127.0.0.1",
106
- "created_at": "2022-03-04T17:14:03.386Z",
107
- "updated_at": "2022-03-04T17:14:03.386Z"
108
- }
109
- ```
110
-
111
- ### Destroy a session
112
-
113
- * `DELETE /sessions/1` will destroy the session with an ID of 1.
114
-
115
- Returns `204 No Content` if successful.
116
-
117
- ## Password
118
-
119
- ### Update your password
120
-
121
- * `PUT /password` allows changing your password.
122
-
123
- ###### Example JSON Request
124
-
125
- ``` json
126
- {
127
- "current_password": "Secret1*2*3*4*5*6",
128
- "password": "NewPassword12$34$56$7",
129
- "password_confirmation": "NewPassword12$34$56$7"
130
- }
131
- ```
132
-
133
- This endpoint will return 200 OK with the current JSON representation of the user if the update was a success.
134
-
135
- ## Email
136
-
137
- ### Update your email
138
-
139
- * `PUT /identity/email` allows changing your email. **(requires sudo)**.
140
-
141
- ###### Example JSON Request
142
-
143
- ``` json
144
- {
145
- "current_password": "Secret1*2*3*4*5*6",
146
- "email": "new_email@hey.com"
147
- }
148
- ```
149
-
150
- This endpoint will return 200 OK with the current JSON representation of the user if the update was a success.
151
-
152
- ## Email verification
153
-
154
- ### Send verification email
155
-
156
- * `POST /identity/email_verification` sends an email verification with the instructions and link to proceed with the verification.
157
-
158
- Returns `204 No Content` if successful.
159
-
160
- ### Verify email
161
-
162
- * `GET /identity/email_verification` verify your email using a temporary token.
163
-
164
- **Required parameters:** `email` and `token`.
165
-
166
- Example: `/identity/email_verification?email=lazaronixon@hotmail.com&token=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1nPT0iLCJleHAiOm51bGwsInB1ciI6InNlc3Npb24ifX0=--1a277b4a5576c6e371144a22476979a18d3e45fb8515a79e815cd4b95eb5fb6b`
167
-
168
- Returns `204 No Content` if successful.
169
-
170
- ## Password reset
171
-
172
- ### Send password reset email
173
-
174
- * `POST /identity/password_reset` sends a password reset email with the instructions and link to proceed reset.
175
-
176
- Returns `204 No Content` if successful.
177
-
178
- ### Reset password
179
-
180
- * `PUT /identity/password_reset` allows changing your password through a email token.
181
-
182
- ##### Example JSON Request
183
-
184
- ``` json
185
- {
186
- "password": "NewPassword12$34$56$7",
187
- "password_confirmation": "NewPassword12$34$56$7",
188
- "token": "eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1nPT0iLCJleHAiOm51bGwsInB1ciI6InNlc3Npb24ifX0=--1a277b4a5576c6e371144a22476979a18d3e45fb8515a79e815cd4b95eb5fb6b",
189
- }
190
- ```
191
-
192
- This endpoint will return 200 OK with the current JSON representation of the user if the update was a success.