RubyGems - authentication-zero - Versions diffs - 3.0.1 → 4.0.0 - Mend

authentication-zero 3.0.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92112d3c18d8e744aa40aed7fef55a2d0297e90e1975c2dd8efbcd4197314cd7
-  data.tar.gz: 7ec0f1e5283f8035bdcbcfe0d8d497a618158689fc7c85d550c96ec3324d5d48
+  metadata.gz: 10cffeda250c03651c8f0d1f60ae0c726fe9884c4ac40b62de7a7deceb27374c
+  data.tar.gz: 1b3421b4b3053fd76db8500d332e8ee0db4478bb8bf547988192ba646b1a8534
 SHA512:
-  metadata.gz: 8b0af8f623956d8cbd08046c2c30e2e3705542b975236585a8420d26d8b7fdb450ddea61abd2b6e67b675c677869126cebfc0c898b7c2d88cde869d0715c72cb
-  data.tar.gz: 5015012ed105a8e4cf26f2a801dda0d91785a99bf45497964f1a806311a5ff822348afa1533209d8c847f2732bfa4d424e59e5854eabb2824a3b16f9b42b9696
+  metadata.gz: 7f8c89fb438dfc43fd47416f5320b4a98e14617896e30e3e0060245f71e2f0e356b1b8d9f709b2c0c930a9cffc8a20e9eff168ffe48cf74c288a3ce191e5a1d6
+  data.tar.gz: 37f2810abcec42035ece7447836eb966a5de77359ef907bdbd336d6918d4ef2b4ca2330e80824084ec4941a250a55f31f21863f23d21fa9e89503b5b3f5fc94f

data/.github/workflows/CI.yml CHANGED Viewed

@@ -50,7 +50,6 @@ jobs:
         run: |
           cd test-app
           bin/rails test
-          bin/rails test:system
   test_api:
     name: 🧪 Run API Tests

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## Authentication Zero 4.0.0 ##
+* Remove system tests
+* Use native rate_limit for lockable
+* Copy web_authn_controller.js instead of depend on stimulus-web-authn
+## Authentication Zero 3.0.2 ##
+* Fix bug where token is not expired/invalid
 ## Authentication Zero 3.0.0 ##
 * Use the new normalizes API

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (3.0.1)
+    authentication-zero (4.0.0)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -8,6 +8,12 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 $ bundle add authentication-zero
 ```
+If you are using Rails < 8, you must use version 3.
+```
+$ bundle add authentication-zero --version "~> 3"
+```
 If you are using Rails < 7.1, you must use version 2.
 ```

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "3.0.1"
+  VERSION = "4.0.0"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -123,9 +123,9 @@ class AuthenticationGenerator < Rails::Generators::Base
   def install_javascript
     return unless webauthn?
-    copy_file "javascript/controllers/application.js", "app/javascript/controllers/application.js", force: true
-    run "bin/importmap pin stimulus-web-authn" if importmaps?
-    run "yarn add stimulus-web-authn" if node?
+    copy_file "javascript/controllers/web_authn_controller.js", "app/javascript/controllers/web_authn_controller.js"
+    run "bin/importmap pin @rails/request.js" if importmaps?
+    run "yarn add @rails/request.js" if node?
   end
   def create_views
@@ -222,9 +222,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   def create_test_files
     directory "test_unit/controllers/#{format}", "test/controllers"
     directory "test_unit/mailers/", "test/mailers"
-    directory "test_unit/system", "test/system" unless options.api?
     template  "test_unit/test_helper.rb", "test/test_helper.rb", force: true
-    template  "test_unit/application_system_test_case.rb", "test/application_system_test_case.rb", force: true unless options.api?
   end
   private
@@ -261,7 +259,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     end
     def redis?
-      options.lockable? || options.ratelimit? || sudoable?
+      options.ratelimit? || sudoable?
     end
     def importmaps?

data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt CHANGED Viewed

@@ -17,14 +17,4 @@ class ApplicationController < ActionController::API
       Current.user_agent = request.user_agent
       Current.ip_address = request.ip
     end
-    <%- if options.lockable? %>
-    def require_lock(wait: 1.hour, attempts: 10)
-      counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
-      counter.increment
-      if counter.value > attempts
-        render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
-      end
-    end
-    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -2,7 +2,7 @@ class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
   <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
+  rate_limit to: 10, within: 1.hour, only: :create
   <%- end -%>
   before_action :set_user, only: :update

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt CHANGED Viewed

@@ -15,16 +15,6 @@ class ApplicationController < ActionController::Base
       Current.user_agent = request.user_agent
       Current.ip_address = request.ip
     end
-    <%- if options.lockable? %>
-    def require_lock(wait: 1.hour, attempts: 10)
-      counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
-      counter.increment
-      if counter.value > attempts
-        redirect_to root_path, alert: "You've exceeded the maximum number of attempts"
-      end
-    end
-    <%- end -%>
     <%- if sudoable? %>
     def require_sudo
       unless Current.session.sudo?

data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -2,7 +2,7 @@ class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
   <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
+  rate_limit to: 10, within: 1.hour, only: :create, with: -> { redirect_to root_path, alert: "Try again later" }
   <%- end -%>
   before_action :set_user, only: %i[ edit update ]

data/lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt CHANGED Viewed

@@ -2,7 +2,7 @@ class Sessions::PasswordlessesController < ApplicationController
   skip_before_action :authenticate
   <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
+  rate_limit to: 10, within: 1.hour, only: :create, with: -> { redirect_to root_path, alert: "Try again later" }
   <%- end -%>
   before_action :set_user, only: :edit

data/lib/generators/authentication/templates/javascript/controllers/web_authn_controller.js ADDED Viewed

@@ -0,0 +1,111 @@
+import { Controller } from "@hotwired/stimulus"
+import { create, get, supported } from "@github/webauthn-json"
+import { FetchRequest } from "@rails/request.js"
+export default class WebAuthnController extends Controller {
+  static targets = [ "error", "button", "supportText" ]
+  static classes = [ "loading" ]
+  static values = {
+    challengeUrl: String,
+    verificationUrl: String,
+    fallbackUrl: String,
+    retryText: { type: String, default: "Retry" },
+    notAllowedText: { type: String, default: "That didn't work. Either it was cancelled or took too long. Please try again." },
+    invalidStateText: { type: String, default: "We couldn't add that security key. Please confirm you haven't already registered it, then try again." }
+  }
+  connect() {
+    if (!supported()) {
+      this.handleUnsupportedBrowser()
+    }
+  }
+  getCredential() {
+    this.hideError()
+    this.disableForm()
+    this.requestChallengeAndVerify(get)
+  }
+  createCredential() {
+    this.hideError()
+    this.disableForm()
+    this.requestChallengeAndVerify(create)
+  }
+  // Private
+  handleUnsupportedBrowser() {
+    this.buttonTarget.parentNode.removeChild(this.buttonTarget)
+    if (this.fallbackUrlValue) {
+      window.location.replace(this.fallbackUrlValue)
+    } else {
+      this.supportTextTargets.forEach(target => target.hidden = !target.hidden)
+    }
+  }
+  async requestChallengeAndVerify(fn) {
+    try {
+      const challengeResponse = await this.requestPublicKeyChallenge()
+      const credentialResponse = await fn({ publicKey: challengeResponse })
+      this.onCompletion(await this.verify(credentialResponse))
+    } catch (error) {
+      this.onError(error)
+    }
+  }
+  async requestPublicKeyChallenge() {
+    return await this.request("get", this.challengeUrlValue)
+  }
+  async verify(credentialResponse) {
+    return await this.request("post", this.verificationUrlValue, {
+      body: JSON.stringify({ credential: credentialResponse }),
+      contentType: "application/json",
+      responseKind: "json"
+    })
+  }
+  onCompletion(response) {
+    window.location.replace(response.location)
+  }
+  onError(error) {
+    if (error.code === 0 && error.name === "NotAllowedError") {
+      this.errorTarget.textContent = this.notAllowedTextValue
+    } else if (error.code === 11 && error.name === "InvalidStateError") {
+      this.errorTarget.textContent = this.invalidStateTextValue
+    } else {
+      this.errorTarget.textContent = error.message
+    }
+    this.showError()
+  }
+  hideError() {
+    if (this.hasErrorTarget) this.errorTarget.hidden = true
+  }
+  showError() {
+    if (this.hasErrorTarget) {
+      this.errorTarget.hidden = false
+      this.buttonTarget.textContent = this.retryTextValue
+      this.enableForm()
+    }
+  }
+  enableForm() {
+    this.element.classList.remove(this.loadingClass)
+    this.buttonTarget.disabled = false
+  }
+  disableForm() {
+    this.element.classList.add(this.loadingClass)
+    this.buttonTarget.disabled = true
+  }
+  async request(method, url, options) {
+    const request = new FetchRequest(method, url, { responseKind: "json", ...options })
+    const response = await request.perform()
+    return response.json
+  }
+}

data/lib/generators/authentication/templates/models/user.rb.tt CHANGED Viewed

@@ -1,8 +1,14 @@
 class User < ApplicationRecord
   has_secure_password
-  generates_token_for :email_verification, expires_in: 2.days { email }
-  generates_token_for :password_reset, expires_in: 20.minutes { password_salt.last(10) }
+  generates_token_for :email_verification, expires_in: 2.days do
+    email
+  end
+  generates_token_for :password_reset, expires_in: 20.minutes do
+    password_salt.last(10)
+  end
   <%- if options.tenantable? %>
   belongs_to :account
   <%- end -%>

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 4.0.0
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-14 00:00:00.000000000 Z
+date: 2024-10-08 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -94,7 +94,7 @@ files:
 - lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
-- lib/generators/authentication/templates/javascript/controllers/application.js
+- lib/generators/authentication/templates/javascript/controllers/web_authn_controller.js
 - lib/generators/authentication/templates/lib/account_middleware.rb
 - lib/generators/authentication/templates/mailers/user_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_accounts_migration.rb.tt
@@ -113,7 +113,6 @@ files:
 - lib/generators/authentication/templates/models/session.rb.tt
 - lib/generators/authentication/templates/models/sign_in_token.rb.tt
 - lib/generators/authentication/templates/models/user.rb.tt
-- lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt
@@ -127,11 +126,6 @@ files:
 - lib/generators/authentication/templates/test_unit/controllers/html/registrations_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/mailers/user_mailer_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt
 - lib/generators/authentication/templates/test_unit/test_helper.rb.tt
 - lib/generators/authentication/templates/test_unit/users.yml
 homepage: https://github.com/lazaronixon/authentication-zero
@@ -156,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.20
+rubygems_version: 3.5.5
 signing_key:
 specification_version: 4
 summary: An authentication system generator for Rails applications

data/lib/generators/authentication/templates/javascript/controllers/application.js DELETED Viewed

@@ -1,11 +0,0 @@
-import { Application } from "@hotwired/stimulus"
-import WebAuthnController from "stimulus-web-authn"
-const application = Application.start()
-application.register("web-authn", WebAuthnController)
-// Configure Stimulus development experience
-application.debug = false
-window.Stimulus   = application
-export { application }

data/lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt DELETED Viewed

@@ -1,15 +0,0 @@
-require "test_helper"
-class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
-  driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400]
-  def sign_in_as(user)
-    visit sign_in_url
-    fill_in :email, with: user.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    user
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt DELETED Viewed

@@ -1,26 +0,0 @@
-require "application_system_test_case"
-class Identity::EmailsTest < ApplicationSystemTestCase
-  setup do
-    @user = sign_in_as(users(:lazaro_nixon))
-  end
-  test "updating the email" do
-    click_on "Change email address"
-    fill_in "New email", with: "new_email@hey.com"
-    fill_in "Password challenge", with: "Secret1*3*5*"
-    click_on "Save changes"
-    assert_text "Your email has been changed"
-  end
-  test "sending a verification email" do
-    @user.update! verified: false
-    click_on "Change email address"
-    click_on "Re-send verification email"
-    assert_text "We sent a verification email to your email address"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt DELETED Viewed

@@ -1,28 +0,0 @@
-require "application_system_test_case"
-class Identity::PasswordResetsTest < ApplicationSystemTestCase
-  setup do
-    @user = users(:lazaro_nixon)
-    @sid = @user.generate_token_for(:password_reset)
-  end
-  test "sending a password reset email" do
-    visit sign_in_url
-    click_on "Forgot your password?"
-    fill_in "Email", with: @user.email
-    click_on "Send password reset email"
-    assert_text "Check your email for reset instructions"
-  end
-  test "updating password" do
-    visit edit_identity_password_reset_url(sid: @sid)
-    fill_in "New password", with: "Secret6*4*2*"
-    fill_in "Confirm new password", with: "Secret6*4*2*"
-    click_on "Save changes"
-    assert_text "Your password was reset successfully. Please sign in"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt DELETED Viewed

@@ -1,18 +0,0 @@
-require "application_system_test_case"
-class PasswordsTest < ApplicationSystemTestCase
-  setup do
-    @user = sign_in_as(users(:lazaro_nixon))
-  end
-  test "updating the password" do
-    click_on "Change password"
-    fill_in "Password challenge", with: "Secret1*3*5*"
-    fill_in "New password", with: "Secret6*4*2*"
-    fill_in "Confirm new password", with: "Secret6*4*2*"
-    click_on "Save changes"
-    assert_text "Your password has been changed"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt DELETED Viewed

@@ -1,14 +0,0 @@
-require "application_system_test_case"
-class RegistrationsTest < ApplicationSystemTestCase
-  test "signing up" do
-    visit sign_up_url
-    fill_in "Email", with: "lazaronixon@hey.com"
-    fill_in "Password", with: "Secret6*4*2*"
-    fill_in "Password confirmation", with: "Secret6*4*2*"
-    click_on "Sign up"
-    assert_text "Welcome! You have signed up successfully"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt DELETED Viewed

@@ -1,30 +0,0 @@
-require "application_system_test_case"
-class SessionsTest < ApplicationSystemTestCase
-  setup do
-    @user = users(:lazaro_nixon)
-  end
-  test "visiting the index" do
-    sign_in_as @user
-    click_on "Devices & Sessions"
-    assert_selector "h1", text: "Sessions"
-  end
-  test "signing in" do
-    visit sign_in_url
-    fill_in "Email", with: @user.email
-    fill_in "Password", with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_text "Signed in successfully"
-  end
-  test "signing out" do
-    sign_in_as @user
-    click_on "Log out"
-    assert_text "That session has been logged out"
-  end
-end