authie 4.0.0.rc5 → 4.0.0.rc8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1d9373c828cdac9b7663eb05db6954ff069f5e6d8164d64c8dcf5fd165ca0d09
-  data.tar.gz: c4b98e9bb20edce2539761806affda87fd4d56082b7c9e956842424cac8a6e27
+  metadata.gz: 34f5fbbc0393fb8f28c1aa13fa1bf7e1bb04c53588c679844dcf46348c119921
+  data.tar.gz: f875d3738a56db47b795cacfcabcf1447d87efec7b7a231db06d8b72bce387db
 SHA512:
-  metadata.gz: b90a45ff82b29992deec7c2e7c09604a3a569bdfbe099ba2f7be26989c9bd91417b7446d7ea2d8ad0f85f55d42d9ed9356a203dc239e88f568ccf64cb4faa363
-  data.tar.gz: 9c66674049a1a8c36389faa84764b296f7879d59b5cdd3c6bc7b06946874ffec6fec23cd1194a0b68367391237814938a1de19db0ef7958af005d7a9ce2d66ef
+  metadata.gz: 6b1866dae5679014d40a15b9bf6ba1b463b80f7ffba8246ef056bcbe48cce07b39395a85dbe0b6ef1849271c794044571dd4cbad71c3591a478167b378917bb2
+  data.tar.gz: a109dad855e4d97a11cf4b9f4dea6316383e34a5a7a2a13c10bffc1efe8a5ffcc45c487bb90793dadbcd694a5f2ecb647d0c519a6cc17fb53dc77bb8722d7ea1

data/db/migrate/20220502180100_add_two_factor_required_to_sessions.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddTwoFactorRequiredToSessions < ActiveRecord::Migration[4.2]
+  def change
+    add_column :authie_sessions, :skip_two_factor, :boolean, default: false
+  end
+end

data/lib/authie/config.rb

@@ -8,6 +8,8 @@ module Authie
     attr_accessor :persistent_session_length
     attr_accessor :sudo_session_timeout
     attr_accessor :browser_id_cookie_name
+    attr_accessor :session_token_length
+    attr_accessor :extend_session_expiry_on_touch
     attr_accessor :events
 
     def initialize
@@ -15,6 +17,8 @@ module Authie
       @persistent_session_length = 2.months
       @sudo_session_timeout = 10.minutes
       @browser_id_cookie_name = :browser_id
+      @session_token_length = 64
+      @extend_session_expiry_on_touch = false
       @events = EventManager.new
     end
   end

data/lib/authie/controller_delegate.rb

@@ -9,10 +9,13 @@ module Authie
   # The controller delegate implements methods that can be used by a controller. These are then
   # extended into controllers as needed (see ControllerExtension).
   class ControllerDelegate
+    attr_accessor :touch_auth_session_enabled
+
     # @param controller [ActionController::Base]
     # @return [Authie::ControllerDelegate]
     def initialize(controller)
       @controller = controller
+      @touch_auth_session_enabled = true
     end
 
     # Sets a browser ID. This must be performed on any page request where AUthie will be used.
@@ -52,7 +55,7 @@ module Authie
     def touch_auth_session
       yield if block_given?
     ensure
-      auth_session.touch if logged_in?
+      auth_session.touch if @touch_auth_session_enabled && logged_in?
     end
 
     # Return the user for the currently logged in user or nil if no user is logged in

data/lib/authie/controller_extension.rb

@@ -26,5 +26,9 @@ module Authie
     def auth_session_delegate
       @auth_session_delegate ||= Authie::ControllerDelegate.new(self)
     end
+
+    def skip_touch_auth_session!
+      auth_session_delegate.touch_auth_session_enabled = false
+    end
   end
 end

data/lib/authie/session.rb

@@ -92,6 +92,7 @@ module Authie
       @session.last_activity_ip = @controller.request.ip
       @session.last_activity_path = @controller.request.path
       @session.requests += 1
+      extend_session_expiry_if_appropriate
       @session.save!
       Authie.config.events.dispatch(:session_touched, self)
       self
@@ -113,9 +114,10 @@ module Authie
     #
     # @raises [ActiveRecord::RecordInvalid]
     # @return [Authie::Session]
-    def mark_as_two_factored
+    def mark_as_two_factored(skip: false)
       @session.two_factored_at = Time.now
       @session.two_factored_ip = @controller.request.ip
+      @session.skip_two_factor = skip
       @session.save!
       Authie.config.events.dispatch(:marked_as_two_factor, self)
       self
@@ -132,6 +134,15 @@ module Authie
       self
     end
 
+    # Resets the token for the currently active session to a new string
+    #
+    # @return [Authie::Session]
+    def reset_token
+      @session.reset_token
+      set_cookie
+      self
+    end
+
     private
 
     # rubocop:disable Naming/AccessorMethodName
@@ -201,6 +212,16 @@ module Authie
       self
     end
 
+    def extend_session_expiry_if_appropriate
+      return if @session.expires_at.nil?
+      return unless Authie.config.extend_session_expiry_on_touch
+
+      # If enabled, sessions with an expiry time will automatiaclly be incremented
+      # whenever a page is touched. The cookie will also be updated as appropriate.
+      @session.expires_at = Authie.config.persistent_session_length.from_now
+      set_cookie
+    end
+
     class << self
       # Create a new session within the given controller for the
       #
@@ -284,6 +305,7 @@ module Authie
     delegate :two_factored_at, to: :session
     delegate :two_factored_ip, to: :session
     delegate :two_factored?, to: :session
+    delegate :skip_two_factor, to: :session
     delegate :update, to: :session
     delegate :update!, to: :session
     delegate :user_agent, to: :session

data/lib/authie/session_model.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'active_record/base'
-require 'secure_random_string'
+require 'securerandom'
 require 'authie/config'
 
 module Authie
@@ -19,15 +19,8 @@ module Authie
     # Attributes
     serialize :data, Hash
 
-    before_validation do
-      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
-      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
-    end
-
-    before_create do
-      self.temporary_token = SecureRandomString.new(44)
-      self.token_hash = self.class.hash_token(temporary_token)
-    end
+    before_validation :shorten_strings
+    before_create :set_new_token
 
     # Return the user that
     def user
@@ -109,6 +102,27 @@ module Authie
       self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
     end
 
+    # Reset a new token for the session and return the new token
+    #
+    # @return [String]
+    def reset_token
+      set_new_token
+      save!
+      temporary_token
+    end
+
+    private
+
+    def shorten_strings
+      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
+      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
+    end
+
+    def set_new_token
+      self.temporary_token = SecureRandom.alphanumeric(Authie.config.session_token_length)
+      self.token_hash = self.class.hash_token(temporary_token)
+    end
+
     class << self
       # Find a session from the database for the given controller instance.
       # Returns a session object or :none if no session is found.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authie
 version: !ruby/object:Gem::Version
-  version: 4.0.0.rc5
+  version: 4.0.0.rc8
 platform: ruby
 authors:
 - Adam Cooke
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-02 00:00:00.000000000 Z
+date: 2022-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -30,20 +30,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '8.0'
-- !ruby/object:Gem::Dependency
-  name: secure_random_string
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -246,6 +232,7 @@ files:
 - db/migrate/20170417170000_add_token_hashes_to_authie_sessions.rb
 - db/migrate/20170421174100_add_index_to_token_hashes_on_authie_sessions.rb
 - db/migrate/20180215152200_add_host_to_authie_sessions.rb
+- db/migrate/20220502180100_add_two_factor_required_to_sessions.rb
 - lib/authie.rb
 - lib/authie/config.rb
 - lib/authie/controller_delegate.rb