authentication-zero 3.0.2 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c60a566c4789323eb87ac9f024b732231815e76092b5187d608ddc6a21314427
-  data.tar.gz: fccefad83e73b9fe383949f756cf2ad363372472a7d5a362f5e04a99ea75fefa
+  metadata.gz: 84ff6a85acc17f4561f1362e2e7fa15ad27c434cee6191f57dd7623f49b506ff
+  data.tar.gz: 75fef66fa0926ba2c2a797db8a7d85cb58cdbf90891f0cb50e3cb318873fff10
 SHA512:
-  metadata.gz: b4a4a9bf9a05f73b0fcc4862d763fb3a4880563fbec72a3f069d7b7e56dbc4dee3c8812823c2569d7e680a4c49b86e61465191cfbd0b24a2a121ba49ab61ec37
-  data.tar.gz: b73ed9438ecbb4a9afa463195ca88d735084853044c8d59b6f649157302aefa171ed0a6d421267c2acbe909cabe0993fdf3b81da3a68e5a654e2e82a99d1549c
+  metadata.gz: b80db262196da2d9107246f47949c88a73110f58298a9d29eb6c94eba2b8e255a9206f09539b3bad6702156e96fbfd1960ae789530d595e303858b36f92364b8
+  data.tar.gz: c234410b5f2458a41be599d2529b377ed62436ff071eb87bc8bb49479d06d7382ac835ff7e82be7caf9f4b173ea45007362fc1836cedc27cc836e82f6cc71c4b

data/.github/workflows/CI.yml

@@ -22,7 +22,7 @@ jobs:
           bundler-cache: true
 
       - name: Install the latest Rails gem
-        run: gem install rails -v "7.1.0"
+        run: gem install rails -v "7.2.1"
 
       - name: Install Rubocop
         run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails
@@ -50,7 +50,6 @@ jobs:
         run: |
           cd test-app
           bin/rails test
-          bin/rails test:system
 
   test_api:
     name: 🧪 Run API Tests
@@ -66,7 +65,7 @@ jobs:
           bundler-cache: true
 
       - name: Install the latest Rails gem
-        run: gem install rails -v "7.1.0"
+        run: gem install rails -v "7.2.1"
 
       - name: Install Rubocop
         run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## New version
+
+* Remove rate limit from api generator
+
+## Authentication Zero 4.0.0 ##
+
+* Remove system tests
+* Use native rate_limit for lockable
+* Copy web_authn_controller.js instead of depend on stimulus-web-authn
+
 ## Authentication Zero 3.0.2 ##
 
 * Fix bug where token is not expired/invalid

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (3.0.2)
+    authentication-zero (4.0.1)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -8,6 +8,12 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 $ bundle add authentication-zero
 ```
 
+If you are using Rails < 7.2, you must use version 3.
+
+```
+$ bundle add authentication-zero --version "~> 3"
+```
+
 If you are using Rails < 7.1, you must use version 2.
 
 ```

data/lib/authentication_zero/version.rb

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "3.0.2"
+  VERSION = "4.0.1"
 end

data/lib/generators/authentication/authentication_generator.rb

@@ -8,7 +8,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   class_option :sudoable,      type: :boolean, desc: "Add password request before sensitive data changes"
   class_option :lockable,      type: :boolean, desc: "Add password reset locking"
   class_option :ratelimit,     type: :boolean, desc: "Add request rate limiting"
-  class_option :passwordless,  type: :boolean, desc: "Add passwordless sign"
+  class_option :passwordless,  type: :boolean, desc: "Add passwordless sign in"
   class_option :omniauthable,  type: :boolean, desc: "Add social login support"
   class_option :trackable,     type: :boolean, desc: "Add activity log support"
   class_option :two_factor,    type: :boolean, desc: "Add two factor authentication"
@@ -123,9 +123,9 @@ class AuthenticationGenerator < Rails::Generators::Base
 
   def install_javascript
     return unless webauthn?
-    copy_file "javascript/controllers/application.js", "app/javascript/controllers/application.js", force: true
-    run "bin/importmap pin stimulus-web-authn" if importmaps?
-    run "yarn add stimulus-web-authn" if node?
+    copy_file "javascript/controllers/web_authn_controller.js", "app/javascript/controllers/web_authn_controller.js"
+    run "bin/importmap pin @rails/request.js" if importmaps?
+    run "yarn add @rails/request.js" if node?
   end
 
   def create_views
@@ -222,9 +222,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   def create_test_files
     directory "test_unit/controllers/#{format}", "test/controllers"
     directory "test_unit/mailers/", "test/mailers"
-    directory "test_unit/system", "test/system" unless options.api?
     template  "test_unit/test_helper.rb", "test/test_helper.rb", force: true
-    template  "test_unit/application_system_test_case.rb", "test/application_system_test_case.rb", force: true unless options.api?
   end
 
   private
@@ -261,7 +259,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     end
 
     def redis?
-      options.lockable? || options.ratelimit? || sudoable?
+      options.ratelimit? || sudoable?
     end
 
     def importmaps?

data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt

@@ -17,14 +17,4 @@ class ApplicationController < ActionController::API
       Current.user_agent = request.user_agent
       Current.ip_address = request.ip
     end
-    <%- if options.lockable? %>
-    def require_lock(wait: 1.hour, attempts: 10)
-      counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
-      counter.increment
-
-      if counter.value > attempts
-        render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
-      end
-    end
-    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt

@@ -1,9 +1,6 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
 
-  <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
-  <%- end -%>
   before_action :set_user, only: :update
 
   def edit

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt

@@ -15,16 +15,6 @@ class ApplicationController < ActionController::Base
       Current.user_agent = request.user_agent
       Current.ip_address = request.ip
     end
-    <%- if options.lockable? %>
-    def require_lock(wait: 1.hour, attempts: 10)
-      counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
-      counter.increment
-
-      if counter.value > attempts
-        redirect_to root_path, alert: "You've exceeded the maximum number of attempts"
-      end
-    end
-    <%- end -%>
     <%- if sudoable? %>
     def require_sudo
       unless Current.session.sudo?

data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt

@@ -2,7 +2,7 @@ class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
 
   <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
+  rate_limit to: 10, within: 1.hour, only: :create, with: -> { redirect_to root_path, alert: "Try again later" }
   <%- end -%>
   before_action :set_user, only: %i[ edit update ]
 

data/lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt

@@ -2,7 +2,7 @@ class Sessions::PasswordlessesController < ApplicationController
   skip_before_action :authenticate
 
   <%- if options.lockable? -%>
-  before_action :require_lock, only: :create
+  rate_limit to: 10, within: 1.hour, only: :create, with: -> { redirect_to root_path, alert: "Try again later" }
   <%- end -%>
   before_action :set_user, only: :edit
 

data/lib/generators/authentication/templates/javascript/controllers/web_authn_controller.js

@@ -0,0 +1,111 @@
+import { Controller } from "@hotwired/stimulus"
+import { create, get, supported } from "@github/webauthn-json"
+import { FetchRequest } from "@rails/request.js"
+
+export default class WebAuthnController extends Controller {
+  static targets = [ "error", "button", "supportText" ]
+  static classes = [ "loading" ]
+  static values = {
+    challengeUrl: String,
+    verificationUrl: String,
+    fallbackUrl: String,
+    retryText: { type: String, default: "Retry" },
+    notAllowedText: { type: String, default: "That didn't work. Either it was cancelled or took too long. Please try again." },
+    invalidStateText: { type: String, default: "We couldn't add that security key. Please confirm you haven't already registered it, then try again." }
+  }
+
+  connect() {
+    if (!supported()) {
+      this.handleUnsupportedBrowser()
+    }
+  }
+
+  getCredential() {
+    this.hideError()
+    this.disableForm()
+    this.requestChallengeAndVerify(get)
+  }
+
+  createCredential() {
+    this.hideError()
+    this.disableForm()
+    this.requestChallengeAndVerify(create)
+  }
+
+  // Private
+
+  handleUnsupportedBrowser() {
+    this.buttonTarget.parentNode.removeChild(this.buttonTarget)
+
+    if (this.fallbackUrlValue) {
+      window.location.replace(this.fallbackUrlValue)
+    } else {
+      this.supportTextTargets.forEach(target => target.hidden = !target.hidden)
+    }
+  }
+
+  async requestChallengeAndVerify(fn) {
+    try {
+      const challengeResponse = await this.requestPublicKeyChallenge()
+      const credentialResponse = await fn({ publicKey: challengeResponse })
+      this.onCompletion(await this.verify(credentialResponse))
+    } catch (error) {
+      this.onError(error)
+    }
+  }
+
+  async requestPublicKeyChallenge() {
+    return await this.request("get", this.challengeUrlValue)
+  }
+
+  async verify(credentialResponse) {
+    return await this.request("post", this.verificationUrlValue, {
+      body: JSON.stringify({ credential: credentialResponse }),
+      contentType: "application/json",
+      responseKind: "json"
+    })
+  }
+
+  onCompletion(response) {
+    window.location.replace(response.location)
+  }
+
+  onError(error) {
+    if (error.code === 0 && error.name === "NotAllowedError") {
+      this.errorTarget.textContent = this.notAllowedTextValue
+    } else if (error.code === 11 && error.name === "InvalidStateError") {
+      this.errorTarget.textContent = this.invalidStateTextValue
+    } else {
+      this.errorTarget.textContent = error.message
+    }
+    this.showError()
+  }
+
+  hideError() {
+    if (this.hasErrorTarget) this.errorTarget.hidden = true
+  }
+
+  showError() {
+    if (this.hasErrorTarget) {
+      this.errorTarget.hidden = false
+      this.buttonTarget.textContent = this.retryTextValue
+      this.enableForm()
+    }
+  }
+
+  enableForm() {
+    this.element.classList.remove(this.loadingClass)
+    this.buttonTarget.disabled = false
+  }
+
+  disableForm() {
+    this.element.classList.add(this.loadingClass)
+    this.buttonTarget.disabled = true
+  }
+
+  async request(method, url, options) {
+    const request = new FetchRequest(method, url, { responseKind: "json", ...options })
+    const response = await request.perform()
+    return response.json
+  }
+}

data/lib/generators/authentication/templates/models/user.rb.tt

@@ -4,6 +4,7 @@ class User < ApplicationRecord
   generates_token_for :email_verification, expires_in: 2.days do
     email
   end
+
   generates_token_for :password_reset, expires_in: 20.minutes do
     password_salt.last(10)
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 4.0.1
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-28 00:00:00.000000000 Z
+date: 2024-10-08 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -94,7 +94,7 @@ files:
 - lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
-- lib/generators/authentication/templates/javascript/controllers/application.js
+- lib/generators/authentication/templates/javascript/controllers/web_authn_controller.js
 - lib/generators/authentication/templates/lib/account_middleware.rb
 - lib/generators/authentication/templates/mailers/user_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_accounts_migration.rb.tt
@@ -113,7 +113,6 @@ files:
 - lib/generators/authentication/templates/models/session.rb.tt
 - lib/generators/authentication/templates/models/sign_in_token.rb.tt
 - lib/generators/authentication/templates/models/user.rb.tt
-- lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt
@@ -127,11 +126,6 @@ files:
 - lib/generators/authentication/templates/test_unit/controllers/html/registrations_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/mailers/user_mailer_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt
-- lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt
 - lib/generators/authentication/templates/test_unit/test_helper.rb.tt
 - lib/generators/authentication/templates/test_unit/users.yml
 homepage: https://github.com/lazaronixon/authentication-zero
@@ -156,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.20
+rubygems_version: 3.5.5
 signing_key:
 specification_version: 4
 summary: An authentication system generator for Rails applications

data/lib/generators/authentication/templates/javascript/controllers/application.js

@@ -1,11 +0,0 @@
-import { Application } from "@hotwired/stimulus"
-import WebAuthnController from "stimulus-web-authn"
-
-const application = Application.start()
-application.register("web-authn", WebAuthnController)
-
-// Configure Stimulus development experience
-application.debug = false
-window.Stimulus   = application
-
-export { application }

data/lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt

@@ -1,15 +0,0 @@
-require "test_helper"
-
-class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
-  driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400]
-
-  def sign_in_as(user)
-    visit sign_in_url
-    fill_in :email, with: user.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-
-    assert_current_path root_url
-    user
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt

@@ -1,26 +0,0 @@
-require "application_system_test_case"
-
-class Identity::EmailsTest < ApplicationSystemTestCase
-  setup do
-    @user = sign_in_as(users(:lazaro_nixon))
-  end
-
-  test "updating the email" do
-    click_on "Change email address"
-
-    fill_in "New email", with: "new_email@hey.com"
-    fill_in "Password challenge", with: "Secret1*3*5*"
-    click_on "Save changes"
-
-    assert_text "Your email has been changed"
-  end
-
-  test "sending a verification email" do
-    @user.update! verified: false
-
-    click_on "Change email address"
-    click_on "Re-send verification email"
-
-    assert_text "We sent a verification email to your email address"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt

@@ -1,28 +0,0 @@
-require "application_system_test_case"
-
-class Identity::PasswordResetsTest < ApplicationSystemTestCase
-  setup do
-    @user = users(:lazaro_nixon)
-    @sid = @user.generate_token_for(:password_reset)
-  end
-
-  test "sending a password reset email" do
-    visit sign_in_url
-    click_on "Forgot your password?"
-
-    fill_in "Email", with: @user.email
-    click_on "Send password reset email"
-
-    assert_text "Check your email for reset instructions"
-  end
-
-  test "updating password" do
-    visit edit_identity_password_reset_url(sid: @sid)
-
-    fill_in "New password", with: "Secret6*4*2*"
-    fill_in "Confirm new password", with: "Secret6*4*2*"
-    click_on "Save changes"
-
-    assert_text "Your password was reset successfully. Please sign in"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt

@@ -1,18 +0,0 @@
-require "application_system_test_case"
-
-class PasswordsTest < ApplicationSystemTestCase
-  setup do
-    @user = sign_in_as(users(:lazaro_nixon))
-  end
-
-  test "updating the password" do
-    click_on "Change password"
-
-    fill_in "Password challenge", with: "Secret1*3*5*"
-    fill_in "New password", with: "Secret6*4*2*"
-    fill_in "Confirm new password", with: "Secret6*4*2*"
-    click_on "Save changes"
-
-    assert_text "Your password has been changed"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt

@@ -1,14 +0,0 @@
-require "application_system_test_case"
-
-class RegistrationsTest < ApplicationSystemTestCase
-  test "signing up" do
-    visit sign_up_url
-
-    fill_in "Email", with: "lazaronixon@hey.com"
-    fill_in "Password", with: "Secret6*4*2*"
-    fill_in "Password confirmation", with: "Secret6*4*2*"
-    click_on "Sign up"
-
-    assert_text "Welcome! You have signed up successfully"
-  end
-end

data/lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt

@@ -1,30 +0,0 @@
-require "application_system_test_case"
-
-class SessionsTest < ApplicationSystemTestCase
-  setup do
-    @user = users(:lazaro_nixon)
-  end
-
-  test "visiting the index" do
-    sign_in_as @user
-
-    click_on "Devices & Sessions"
-    assert_selector "h1", text: "Sessions"
-  end
-
-  test "signing in" do
-    visit sign_in_url
-    fill_in "Email", with: @user.email
-    fill_in "Password", with: "Secret1*3*5*"
-    click_on "Sign in"
-
-    assert_text "Signed in successfully"
-  end
-
-  test "signing out" do
-    sign_in_as @user
-
-    click_on "Log out"
-    assert_text "That session has been logged out"
-  end
-end