authentication-zero 2.16.11 → 2.16.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c322e94333e2ab7cb4267e120c023f0de6bc908b5f91f966dc315ebe24fa99a
-  data.tar.gz: a472b502f2f0795d457aa7afa5c678fbe368c5cb98399c200416fee0caaa8573
+  metadata.gz: 4cba615fcc2174e4662ce5f805c6b2499638058c9dbcef5bfe520789290c1db2
+  data.tar.gz: 4f73d414bdbaad60361f592f739214d4b97711d7df08f1dc29522f8b03ed942e
 SHA512:
-  metadata.gz: 76a33fb738dfdeba9ab24a4189dabae296a1c3a369f96b771a202481f3361d576412998ffce4f97a193d47c51bb693d22028f0e33f4ff44b85be9f1c5ee151b3
-  data.tar.gz: ee103521ed7fe35a8afaa3a6cd8c669a3b999c20bbb783fe0f889daec2391e6820bc44a4e0113754b8b0297e4e68345fbc1f8c1450e2676460706ddb0e412af2
+  metadata.gz: 930bd997605a77a12d755b59469365124832403a6dddac106350a78c9893329c6f47bf9650e9e9c8ade54a8a648af265dd894cf1818934147fb23ea7ffa7f647
+  data.tar.gz: 4161d49cdecf59dd3d5b412281394373010a4ac08fcb2f07a20fb64b56788c17e40d1445270072efa2e48780dc7659f66091f1a2074786679cd09bcd6350e2e1

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## Authentication Zero 2.16.12 ##
+
+* Bring back --sudoable, just for html and you should set before_action yourself
+* Bring back --ratelimit
+* Removed signed in email notification
+
 ## Authentication Zero 2.16.11 ##
 
 * Added sending invitation

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.16.11)
+    authentication-zero (2.16.12)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -33,11 +33,12 @@ Since Authentication Zero generates this code into your application instead of b
 - Send invitations (--invitable)
 - Verify email using a link with token
 - Verify email using a six random digits code for api (--code-verifiable)
+- Ask password before sensitive data changes, aka: sudo (--sudoable)
 - Reset the user password and send reset instructions
 - Reset the user password only from verified emails
-- Lock mechanism for resetting password (--lockable)
+- Lock mechanism to prevent spamming (--lockable)
+- Rate limiting for your app, 1000 reqs/minute (--ratelimit)
 - Send e-mail confirmation when your email has been changed
-- Send e-mail notification when someone has logged into your account
 - Manage multiple sessions & devices
 - Activity log (--trackable)
 - Log out
@@ -53,6 +54,7 @@ Since Authentication Zero generates this code into your application instead of b
 - [log filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
 - [functional tests](https://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers): In Rails, testing the various actions of a controller is a form of writing functional tests.
 - [system testing](https://guides.rubyonrails.org/testing.html#system-testing): System tests allow you to test user interactions with your application, running tests in either a real or a headless browser.
+- **sudoable**: Use `before_action :require_sudo` in controllers with sensitive information, it will ask for your password on the first access or after 30 minutes.
 
 ## Development
 

data/lib/authentication_zero/version.rb

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.16.11"
+  VERSION = "2.16.12"
 end

data/lib/generators/authentication/authentication_generator.rb

@@ -6,7 +6,9 @@ class AuthenticationGenerator < Rails::Generators::Base
   class_option :api,             type: :boolean, desc: "Generates API authentication"
   class_option :pwned,           type: :boolean, desc: "Add pwned password validation"
   class_option :code_verifiable, type: :boolean, desc: "Add email verification using a code for api"
+  class_option :sudoable,        type: :boolean, desc: "Add password request before sensitive data changes"
   class_option :lockable,        type: :boolean, desc: "Add password reset locking"
+  class_option :ratelimit,       type: :boolean, desc: "Add request rate limiting"
   class_option :passwordless,    type: :boolean, desc: "Add passwordless sign"
   class_option :omniauthable,    type: :boolean, desc: "Add social login support"
   class_option :trackable,       type: :boolean, desc: "Add activity log support"
@@ -18,6 +20,10 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_gems
     gem "bcrypt", "~> 3.1.7", comment: "Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]"
 
+    if options.ratelimit?
+      gem "rack-ratelimit", group: :production, comment: "Use Rack::Ratelimit to rate limit requests [https://github.com/jeremy/rack-ratelimit]"
+    end
+
     if redis?
       gem "redis", ">= 4.0.1", comment: "Use Redis adapter to run additional authentication features"
       gem "kredis", comment: "Use Kredis to get higher-level data types in Redis [https://github.com/rails/kredis]"
@@ -41,6 +47,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_environment_configurations
     application "config.action_mailer.default_url_options = { host: \"localhost\", port: 3000 }", env: "development"
     application "config.action_mailer.default_url_options = { host: \"localhost\", port: 3000 }", env: "test"
+    environment ratelimit_block, env: "production" if options.ratelimit?
   end
 
   def create_configuration_files
@@ -81,6 +88,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     template  "controllers/#{format_folder}/invitations_controller.rb", "app/controllers/invitations_controller.rb" if invitable?
     template  "controllers/#{format_folder}/registrations_controller.rb", "app/controllers/registrations_controller.rb"
     template  "controllers/#{format_folder}/home_controller.rb", "app/controllers/home_controller.rb" unless options.api?
+    template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb" if sudoable?
     template  "controllers/#{format_folder}/sessions/omniauth_controller.rb", "app/controllers/sessions/omniauth_controller.rb" if omniauthable?
     template  "controllers/#{format_folder}/sessions/passwordlesses_controller.rb", "app/controllers/sessions/passwordlesses_controller.rb" if passwordless?
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
@@ -89,10 +97,8 @@ class AuthenticationGenerator < Rails::Generators::Base
   def create_views
     if options.api?
       directory "erb/user_mailer", "app/views/user_mailer"
-      directory "erb/session_mailer", "app/views/session_mailer"
     else
       directory "erb/user_mailer", "app/views/user_mailer"
-      directory "erb/session_mailer", "app/views/session_mailer"
 
       directory "erb/home", "app/views/home"
 
@@ -105,6 +111,8 @@ class AuthenticationGenerator < Rails::Generators::Base
       template "erb/sessions/index.html.erb", "app/views/sessions/index.html.erb"
       template "erb/sessions/new.html.erb", "app/views/sessions/new.html.erb"
 
+      directory "erb/sessions/sudos", "app/views/sessions/sudos" if sudoable?
+
       directory "erb/sessions/passwordlesses", "app/views/sessions/passwordlesses" if passwordless?
 
       directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
@@ -119,6 +127,10 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_routes
     route "root 'home#index'" unless options.api?
 
+    if sudoable?
+      route "resource :sudo, only: [:new, :create]", namespace: :sessions
+    end
+
     if passwordless?
       route "resource :passwordless, only: [:new, :edit, :create]", namespace: :sessions
     end
@@ -163,6 +175,13 @@ class AuthenticationGenerator < Rails::Generators::Base
       options.api? ? "api" : "html"
     end
 
+    def ratelimit_block
+      <<~CODE
+        # Rate limit general requests by IP address in a rate of 1000 requests per minute
+        config.middleware.use(Rack::Ratelimit, name: "General", rate: [1000, 1.minute], redis: Redis.new, logger: Rails.logger) { |env| ActionDispatch::Request.new(env).ip }
+      CODE
+    end
+
     def omniauthable?
       options.omniauthable? && !options.api?
     end
@@ -179,11 +198,15 @@ class AuthenticationGenerator < Rails::Generators::Base
       options.invitable? && !options.api?
     end
 
+    def sudoable?
+      options.sudoable? && !options.api?
+    end
+
     def code_verifiable?
       options.code_verifiable? && options.api?
     end
 
     def redis?
-      options.lockable? || code_verifiable?
+      options.lockable? || options.ratelimit? || sudoable? || code_verifiable?
     end
 end

data/lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt

@@ -1,9 +1,6 @@
 class SessionsController < ApplicationController
   skip_before_action :authenticate, only: :create
 
-  <%- if options.lockable? -%>
-  before_action :require_lock, attempts: 20, only: :create
-  <%- end -%>
   before_action :set_session, only: %i[ show destroy ]
 
   def index

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt

@@ -1,6 +1,12 @@
 class ApplicationController < ActionController::Base
   before_action :set_current_request_details
   before_action :authenticate
+  <%- if sudoable? %>
+  def require_sudo
+    return if Current.session.sudo?
+    redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+  end
+  <%- end -%>
   <%- if options.lockable? %>
   def require_lock(wait: 1.hour, attempts: 10)
     counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)

data/lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt

@@ -0,0 +1,14 @@
+class Sessions::SudosController < ApplicationController
+  def new
+  end
+
+  def create
+    session = Current.session
+
+    if session.user.authenticate(params[:password])
+      session.sudo.mark; redirect_to(params[:proceed_to_url])
+    else
+      redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"
+    end
+  end
+end

data/lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt

@@ -0,0 +1,28 @@
+<p style="color: red"><%%= alert %></p>
+
+<h1>Enter your password to continue</h1>
+
+<%%= form_with(url: sessions_sudo_path) do |form| %>
+
+  <%%= form.hidden_field :proceed_to_url, value: params[:proceed_to_url] %>
+
+  <div>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "current-password" %>
+  </div>
+
+  <div>
+    <%%= form.submit "Continue" %>
+  </div>
+<%% end %>
+
+<br>
+
+<p>
+  <strong>Why are you asking me to do this?</strong><br>
+  To better protect your account, we'll occasionally ask you to confirm your password before performing sensitive actions.
+</p>
+
+<p>
+  <strong>Forgot your password?</strong><br>
+  We'll help you <%%= link_to "reset it", new_identity_password_reset_path %> so you can continue.
+</p>

data/lib/generators/authentication/templates/models/session.rb.tt

@@ -1,21 +1,18 @@
 class Session < ApplicationRecord
   belongs_to :user
+  <%- if sudoable? %>
+  kredis_flag :sudo, expires_in: 30.minutes
+  <%- end -%>
 
   before_create do
     self.user_agent = Current.user_agent
     self.ip_address = Current.ip_address
   end
-
-  after_create_commit do
-    SessionMailer.with(session: self).signed_in_notification.deliver_later
-  end
+  <%- if sudoable? %>
+  after_create { sudo.mark }
+  <%- end -%>
   <%- if options.trackable? %>
-  after_create do
-    user.events.create! action: "signed_in"
-  end
-
-  after_destroy do
-    user.events.create! action: "signed_out"
-  end
+  after_create  { user.events.create! action: "signed_in" }
+  after_destroy { user.events.create! action: "signed_out" }
   <%- end -%>
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions_controller_test.rb.tt

@@ -21,8 +21,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   test "should sign in" do
     post sign_in_url, params: { email: @user.email, password: "Secret1*3*5*" }
-
-    assert_enqueued_email_with SessionMailer, :signed_in_notification, args: { session: @user.sessions.last }
     assert_response :created
   end
 

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt

@@ -19,8 +19,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   test "should sign in" do
     post sign_in_url, params: { email: @user.email, password: "Secret1*3*5*" }
-    assert_enqueued_email_with SessionMailer, :signed_in_notification, args: { session: @user.sessions.last }
-
     assert_redirected_to root_url
 
     get root_url

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.16.11
+  version: 2.16.12
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-02 00:00:00.000000000 Z
+date: 2023-04-03 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -56,6 +56,7 @@ files:
 - lib/generators/authentication/templates/controllers/html/registrations_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/omniauth_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
@@ -67,17 +68,16 @@ files:
 - lib/generators/authentication/templates/erb/invitations/new.html.erb.tt
 - lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt
 - lib/generators/authentication/templates/erb/registrations/new.html.erb.tt
-- lib/generators/authentication/templates/erb/session_mailer/signed_in_notification.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/index.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/passwordlesses/new.html.erb.tt
+- lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
 - lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt
 - lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/email_verification.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
-- lib/generators/authentication/templates/mailers/session_mailer.rb.tt
 - lib/generators/authentication/templates/mailers/user_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_email_verification_tokens_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
@@ -105,7 +105,6 @@ files:
 - lib/generators/authentication/templates/test_unit/controllers/html/passwords_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/registrations_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt
-- lib/generators/authentication/templates/test_unit/mailers/session_mailer_test.rb.tt
 - lib/generators/authentication/templates/test_unit/mailers/user_mailer_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt

data/lib/generators/authentication/templates/erb/session_mailer/signed_in_notification.html.erb.tt

@@ -1,21 +0,0 @@
-<p>Hey there,</p>
-
-<p>A new device just signed in to your account (<%%= @session.user.email %>).</p>
-
-<p>
-  <strong><%%= @session.user_agent %></strong>
-  <br>
-  <%%= @session.created_at %>
-  <br>
-  IP address: <%%= @session.ip_address %>
-</p>
-
-<p><strong>If this was you, carry on.</strong> We could notify you about sign-ins from this device again.</p>
-
-<p><strong>If you don't recognize this device</strong>, someone else may have accessed your account. You should immediately <%%= link_to "change your password", new_identity_password_reset_url %>.</p>
-
-<p><strong>Tip:</strong> It's a good idea to periodically review all of the <%%= link_to "devices and sessions", sessions_url %> in your account for suspicious activity.</p>
-
-<hr>
-
-<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.</p>

data/lib/generators/authentication/templates/mailers/session_mailer.rb.tt

@@ -1,6 +0,0 @@
-class SessionMailer < ApplicationMailer
-  def signed_in_notification
-    @session = params[:session]
-    mail to: @session.user.email, subject: "New sign-in to your account"
-  end
-end

data/lib/generators/authentication/templates/test_unit/mailers/session_mailer_test.rb.tt

@@ -1,13 +0,0 @@
-require "test_helper"
-
-class SessionMailerTest < ActionMailer::TestCase
-  setup do
-    @session = users(:lazaro_nixon).sessions.create!
-  end
-
-  test "signed_in_notification" do
-    mail = SessionMailer.with(session: @session).signed_in_notification
-    assert_equal "New sign-in to your account", mail.subject
-    assert_equal [@session.user.email], mail.to
-  end
-end