RubyGems - authentication-zero - Versions diffs - 2.16.11 → 2.16.13 - Mend

authentication-zero 2.16.11 → 2.16.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c322e94333e2ab7cb4267e120c023f0de6bc908b5f91f966dc315ebe24fa99a
-  data.tar.gz: a472b502f2f0795d457aa7afa5c678fbe368c5cb98399c200416fee0caaa8573
+  metadata.gz: fd4aba188e6a8763ada4f0cc90f370e8980afd0903e3e5f17a5f4bcc5db7c8d6
+  data.tar.gz: 8e16e20f5ed9d2cf1aadd469bdeffae20e1c51ab030bb5731697ae37dd749079
 SHA512:
-  metadata.gz: 76a33fb738dfdeba9ab24a4189dabae296a1c3a369f96b771a202481f3361d576412998ffce4f97a193d47c51bb693d22028f0e33f4ff44b85be9f1c5ee151b3
-  data.tar.gz: ee103521ed7fe35a8afaa3a6cd8c669a3b999c20bbb783fe0f889daec2391e6820bc44a4e0113754b8b0297e4e68345fbc1f8c1450e2676460706ddb0e412af2
+  metadata.gz: dc0688a6b1fae46b456d7c7ce473f1a4414f13bf9bc29439c6d687a67e9122d58eb76e592ef2796c79f1b0e19816e66e6a92f7278dc9df31c9595382108016ce
+  data.tar.gz: 06d51e04679f0821a4cb296f2e06f588c0614b75ae1f8ca6ce370cbca494d950280b617e8f6346539ddbe8d412838c9fdb9fceb4b6315d47b3471e30b9b7cd19

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,14 @@
+## Authentication Zero 2.16.13 ##
+* Enable resend invitation
+* Refactor first_or_initialize -> find_or_initialize_by
+## Authentication Zero 2.16.12 ##
+* Bring back --sudoable, just for html and you should set before_action yourself
+* Bring back --ratelimit
+* Removed signed in email notification
 ## Authentication Zero 2.16.11 ##
 * Added sending invitation

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.16.11)
+    authentication-zero (2.16.13)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -33,11 +33,12 @@ Since Authentication Zero generates this code into your application instead of b
 - Send invitations (--invitable)
 - Verify email using a link with token
 - Verify email using a six random digits code for api (--code-verifiable)
+- Ask password before sensitive data changes, aka: sudo (--sudoable)
 - Reset the user password and send reset instructions
 - Reset the user password only from verified emails
-- Lock mechanism for resetting password (--lockable)
+- Lock mechanism to prevent spamming (--lockable)
+- Rate limiting for your app, 1000 reqs/minute (--ratelimit)
 - Send e-mail confirmation when your email has been changed
-- Send e-mail notification when someone has logged into your account
 - Manage multiple sessions & devices
 - Activity log (--trackable)
 - Log out
@@ -53,6 +54,7 @@ Since Authentication Zero generates this code into your application instead of b
 - [log filtering](https://guides.rubyonrails.org/action_controller_overview.html#log-filtering): Parameters 'token' and 'password' are marked [FILTERED] in the log.
 - [functional tests](https://guides.rubyonrails.org/testing.html#functional-tests-for-your-controllers): In Rails, testing the various actions of a controller is a form of writing functional tests.
 - [system testing](https://guides.rubyonrails.org/testing.html#system-testing): System tests allow you to test user interactions with your application, running tests in either a real or a headless browser.
+- **sudoable**: Use `before_action :require_sudo` in controllers with sensitive information, it will ask for your password on the first access or after 30 minutes.
 ## Development

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.16.11"
+  VERSION = "2.16.13"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -6,7 +6,9 @@ class AuthenticationGenerator < Rails::Generators::Base
   class_option :api,             type: :boolean, desc: "Generates API authentication"
   class_option :pwned,           type: :boolean, desc: "Add pwned password validation"
   class_option :code_verifiable, type: :boolean, desc: "Add email verification using a code for api"
+  class_option :sudoable,        type: :boolean, desc: "Add password request before sensitive data changes"
   class_option :lockable,        type: :boolean, desc: "Add password reset locking"
+  class_option :ratelimit,       type: :boolean, desc: "Add request rate limiting"
   class_option :passwordless,    type: :boolean, desc: "Add passwordless sign"
   class_option :omniauthable,    type: :boolean, desc: "Add social login support"
   class_option :trackable,       type: :boolean, desc: "Add activity log support"
@@ -18,6 +20,10 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_gems
     gem "bcrypt", "~> 3.1.7", comment: "Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]"
+    if options.ratelimit?
+      gem "rack-ratelimit", group: :production, comment: "Use Rack::Ratelimit to rate limit requests [https://github.com/jeremy/rack-ratelimit]"
+    end
     if redis?
       gem "redis", ">= 4.0.1", comment: "Use Redis adapter to run additional authentication features"
       gem "kredis", comment: "Use Kredis to get higher-level data types in Redis [https://github.com/rails/kredis]"
@@ -41,6 +47,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_environment_configurations
     application "config.action_mailer.default_url_options = { host: \"localhost\", port: 3000 }", env: "development"
     application "config.action_mailer.default_url_options = { host: \"localhost\", port: 3000 }", env: "test"
+    environment ratelimit_block, env: "production" if options.ratelimit?
   end
   def create_configuration_files
@@ -81,6 +88,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     template  "controllers/#{format_folder}/invitations_controller.rb", "app/controllers/invitations_controller.rb" if invitable?
     template  "controllers/#{format_folder}/registrations_controller.rb", "app/controllers/registrations_controller.rb"
     template  "controllers/#{format_folder}/home_controller.rb", "app/controllers/home_controller.rb" unless options.api?
+    template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb" if sudoable?
     template  "controllers/#{format_folder}/sessions/omniauth_controller.rb", "app/controllers/sessions/omniauth_controller.rb" if omniauthable?
     template  "controllers/#{format_folder}/sessions/passwordlesses_controller.rb", "app/controllers/sessions/passwordlesses_controller.rb" if passwordless?
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
@@ -89,10 +97,8 @@ class AuthenticationGenerator < Rails::Generators::Base
   def create_views
     if options.api?
       directory "erb/user_mailer", "app/views/user_mailer"
-      directory "erb/session_mailer", "app/views/session_mailer"
     else
       directory "erb/user_mailer", "app/views/user_mailer"
-      directory "erb/session_mailer", "app/views/session_mailer"
       directory "erb/home", "app/views/home"
@@ -105,6 +111,8 @@ class AuthenticationGenerator < Rails::Generators::Base
       template "erb/sessions/index.html.erb", "app/views/sessions/index.html.erb"
       template "erb/sessions/new.html.erb", "app/views/sessions/new.html.erb"
+      directory "erb/sessions/sudos", "app/views/sessions/sudos" if sudoable?
       directory "erb/sessions/passwordlesses", "app/views/sessions/passwordlesses" if passwordless?
       directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
@@ -119,6 +127,10 @@ class AuthenticationGenerator < Rails::Generators::Base
   def add_routes
     route "root 'home#index'" unless options.api?
+    if sudoable?
+      route "resource :sudo, only: [:new, :create]", namespace: :sessions
+    end
     if passwordless?
       route "resource :passwordless, only: [:new, :edit, :create]", namespace: :sessions
     end
@@ -163,6 +175,13 @@ class AuthenticationGenerator < Rails::Generators::Base
       options.api? ? "api" : "html"
     end
+    def ratelimit_block
+      <<~CODE
+        # Rate limit general requests by IP address in a rate of 1000 requests per minute
+        config.middleware.use(Rack::Ratelimit, name: "General", rate: [1000, 1.minute], redis: Redis.new, logger: Rails.logger) { |env| ActionDispatch::Request.new(env).ip }
+      CODE
+    end
     def omniauthable?
       options.omniauthable? && !options.api?
     end
@@ -179,11 +198,15 @@ class AuthenticationGenerator < Rails::Generators::Base
       options.invitable? && !options.api?
     end
+    def sudoable?
+      options.sudoable? && !options.api?
+    end
     def code_verifiable?
       options.code_verifiable? && options.api?
     end
     def redis?
-      options.lockable? || code_verifiable?
+      options.lockable? || options.ratelimit? || sudoable? || code_verifiable?
     end
 end

data/lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt CHANGED Viewed

@@ -1,9 +1,6 @@
 class SessionsController < ApplicationController
   skip_before_action :authenticate, only: :create
-  <%- if options.lockable? -%>
-  before_action :require_lock, attempts: 20, only: :create
-  <%- end -%>
   before_action :set_session, only: %i[ show destroy ]
   def index

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt CHANGED Viewed

@@ -1,6 +1,12 @@
 class ApplicationController < ActionController::Base
   before_action :set_current_request_details
   before_action :authenticate
+  <%- if sudoable? %>
+  def require_sudo
+    return if Current.session.sudo?
+    redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+  end
+  <%- end -%>
   <%- if options.lockable? %>
   def require_lock(wait: 1.hour, attempts: 10)
     counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)

data/lib/generators/authentication/templates/controllers/html/invitations_controller.rb.tt CHANGED Viewed

@@ -4,7 +4,7 @@ class InvitationsController < ApplicationController
   end
   def create
-    @user = User.new(user_params)
+    @user = User.create_with(user_params).find_or_initialize_by(email: params[:email])
     if @user.save
       send_invitation_instructions

data/lib/generators/authentication/templates/controllers/html/sessions/omniauth_controller.rb.tt CHANGED Viewed

@@ -3,7 +3,7 @@ class Sessions::OmniauthController < ApplicationController
   skip_before_action :authenticate
   def create
-    @user = User.where(omniauth_params).first_or_initialize(user_params)
+    @user = User.create_with(user_params).find_or_initialize_by(omniauth_params)
     if @user.save
       session = @user.sessions.create!
@@ -20,14 +20,14 @@ class Sessions::OmniauthController < ApplicationController
   end
   private
-    def omniauth_params
-      { provider: omniauth.provider, uid: omniauth.uid }
-    end
     def user_params
       { email: omniauth.info.email, password: SecureRandom::base58, verified: true }
     end
+    def omniauth_params
+      { provider: omniauth.provider, uid: omniauth.uid }
+    end
     def omniauth
       request.env["omniauth.auth"]
     end

data/lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt ADDED Viewed

@@ -0,0 +1,14 @@
+class Sessions::SudosController < ApplicationController
+  def new
+  end
+  def create
+    session = Current.session
+    if session.user.authenticate(params[:password])
+      session.sudo.mark; redirect_to(params[:proceed_to_url])
+    else
+      redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"
+    end
+  end
+end

data/lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,28 @@
+<p style="color: red"><%%= alert %></p>
+<h1>Enter your password to continue</h1>
+<%%= form_with(url: sessions_sudo_path) do |form| %>
+  <%%= form.hidden_field :proceed_to_url, value: params[:proceed_to_url] %>
+  <div>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "current-password" %>
+  </div>
+  <div>
+    <%%= form.submit "Continue" %>
+  </div>
+<%% end %>
+<br>
+<p>
+  <strong>Why are you asking me to do this?</strong><br>
+  To better protect your account, we'll occasionally ask you to confirm your password before performing sensitive actions.
+</p>
+<p>
+  <strong>Forgot your password?</strong><br>
+  We'll help you <%%= link_to "reset it", new_identity_password_reset_path %> so you can continue.
+</p>

data/lib/generators/authentication/templates/models/session.rb.tt CHANGED Viewed

@@ -1,21 +1,18 @@
 class Session < ApplicationRecord
   belongs_to :user
+  <%- if sudoable? %>
+  kredis_flag :sudo, expires_in: 30.minutes
+  <%- end -%>
   before_create do
     self.user_agent = Current.user_agent
     self.ip_address = Current.ip_address
   end
-  after_create_commit do
-    SessionMailer.with(session: self).signed_in_notification.deliver_later
-  end
+  <%- if sudoable? %>
+  after_create { sudo.mark }
+  <%- end -%>
   <%- if options.trackable? %>
-  after_create do
-    user.events.create! action: "signed_in"
-  end
-  after_destroy do
-    user.events.create! action: "signed_out"
-  end
+  after_create  { user.events.create! action: "signed_in" }
+  after_destroy { user.events.create! action: "signed_out" }
   <%- end -%>
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions_controller_test.rb.tt CHANGED Viewed

@@ -21,8 +21,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
   test "should sign in" do
     post sign_in_url, params: { email: @user.email, password: "Secret1*3*5*" }
-    assert_enqueued_email_with SessionMailer, :signed_in_notification, args: { session: @user.sessions.last }
     assert_response :created
   end

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt CHANGED Viewed

@@ -19,8 +19,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
   test "should sign in" do
     post sign_in_url, params: { email: @user.email, password: "Secret1*3*5*" }
-    assert_enqueued_email_with SessionMailer, :signed_in_notification, args: { session: @user.sessions.last }
     assert_redirected_to root_url
     get root_url

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.16.11
+  version: 2.16.13
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-02 00:00:00.000000000 Z
+date: 2023-04-06 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -56,6 +56,7 @@ files:
 - lib/generators/authentication/templates/controllers/html/registrations_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/omniauth_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
@@ -67,17 +68,16 @@ files:
 - lib/generators/authentication/templates/erb/invitations/new.html.erb.tt
 - lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt
 - lib/generators/authentication/templates/erb/registrations/new.html.erb.tt
-- lib/generators/authentication/templates/erb/session_mailer/signed_in_notification.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/index.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/passwordlesses/new.html.erb.tt
+- lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
 - lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt
 - lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/email_verification.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
-- lib/generators/authentication/templates/mailers/session_mailer.rb.tt
 - lib/generators/authentication/templates/mailers/user_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_email_verification_tokens_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
@@ -105,7 +105,6 @@ files:
 - lib/generators/authentication/templates/test_unit/controllers/html/passwords_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/registrations_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt
-- lib/generators/authentication/templates/test_unit/mailers/session_mailer_test.rb.tt
 - lib/generators/authentication/templates/test_unit/mailers/user_mailer_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt

data/lib/generators/authentication/templates/erb/session_mailer/signed_in_notification.html.erb.tt DELETED Viewed

@@ -1,21 +0,0 @@
-<p>Hey there,</p>
-<p>A new device just signed in to your account (<%%= @session.user.email %>).</p>
-<p>
-  <strong><%%= @session.user_agent %></strong>
-  <br>
-  <%%= @session.created_at %>
-  <br>
-  IP address: <%%= @session.ip_address %>
-</p>
-<p><strong>If this was you, carry on.</strong> We could notify you about sign-ins from this device again.</p>
-<p><strong>If you don't recognize this device</strong>, someone else may have accessed your account. You should immediately <%%= link_to "change your password", new_identity_password_reset_url %>.</p>
-<p><strong>Tip:</strong> It's a good idea to periodically review all of the <%%= link_to "devices and sessions", sessions_url %> in your account for suspicious activity.</p>
-<hr>
-<p>Have questions or need help? Just reply to this email and our support team will help you sort it out.</p>

data/lib/generators/authentication/templates/mailers/session_mailer.rb.tt DELETED Viewed

@@ -1,6 +0,0 @@
-class SessionMailer < ApplicationMailer
-  def signed_in_notification
-    @session = params[:session]
-    mail to: @session.user.email, subject: "New sign-in to your account"
-  end
-end

data/lib/generators/authentication/templates/test_unit/mailers/session_mailer_test.rb.tt DELETED Viewed

@@ -1,13 +0,0 @@
-require "test_helper"
-class SessionMailerTest < ActionMailer::TestCase
-  setup do
-    @session = users(:lazaro_nixon).sessions.create!
-  end
-  test "signed_in_notification" do
-    mail = SessionMailer.with(session: @session).signed_in_notification
-    assert_equal "New sign-in to your account", mail.subject
-    assert_equal [@session.user.email], mail.to
-  end
-end