authkit 0.5.0 → 0.7.0

data/lib/generators/authkit/templates/app/models/user_session.rb

@@ -0,0 +1,55 @@
+class UserSession < ApplicationRecord
+  belongs_to :user
+
+  scope :active, -> { where(revoked_at: nil, logged_out_at: nil) }
+
+  validates :user, presence: true
+
+  validates :remember_token, presence: true
+
+  before_validation :set_remember_token
+
+  def active?
+    !logged_out? && !revoked?
+  end
+
+  def logged_out?
+    logged_out_at.present?
+  end
+
+  def revoked?
+    revoked_at.present?
+  end
+
+  def sudo?
+    sudo_enabled_at.present? && sudo_enabled_at > 1.hour.ago
+  end
+
+  def sudo
+    self.sudo_enabled_at = Time.now
+    save!
+  end
+
+  def logout
+    self.logged_out_at = Time.now
+    save!
+  end
+
+  def access(request, tracking=true)
+    self.accessed_at = Time.now
+    self.ip = request.remote_ip if tracking
+    self.user_agent = request.user_agent if tracking
+    save!
+  end
+
+  private
+
+  # The tokens created by this method have unique indexes but collisions are very
+  # unlikely (1/64^32). Because of this there shouldn't be a conflict. If one occurs
+  # the ActiveRecord::StatementInvalid or ActiveRecord::RecordNotUnique exeception
+  # should bubble up.
+  def set_remember_token
+    self.remember_token = SecureRandom.urlsafe_base64(32) if self.remember_token.blank?
+  end
+end
+

data/lib/generators/authkit/templates/app/views/password_reset/show.html.erb

@@ -1,8 +1,6 @@
 <h1>Reset your password</h1>
 
 <%%= form_tag(password_reset_path, method: "post") do %>
-  <%%= hidden_field_tag :token, params[:token] %>
-
   <div class="field">
     <%%= label_tag "email", "Email<% if username? %> or username<% end %>" %>
     <%%= text_field_tag "email" %>

data/lib/generators/authkit/templates/db/migrate/add_authkit_fields_to_users.rb

@@ -2,7 +2,7 @@
 #
 # Add fields to the users table for managing authentication.
 #
-class AddAuthkitFieldsToUsers < ActiveRecord::Migration
+class AddAuthkitFieldsToUsers < ActiveRecord::Migration[5.0]
   def self.up
     add_column :users, :email, :string, :default => "", :null => false
     add_column :users, :password_digest, :string, :default => "", :null => false
@@ -35,10 +35,6 @@ class AddAuthkitFieldsToUsers < ActiveRecord::Migration
     add_column :users, :reset_password_token, :string
     add_column :users, :reset_password_token_created_at, :datetime
 
-    # Remember
-    add_column :users, :remember_token, :string
-    add_column :users, :remember_token_created_at, :datetime
-
     # Confirmation
     add_column :users, :confirmation_email, :string
     add_column :users, :confirmation_token, :string
@@ -56,7 +52,6 @@ class AddAuthkitFieldsToUsers < ActiveRecord::Migration
     add_index :users, :email, :unique => true
     <% if username? %>add_index :users, :username, :unique => true
     <% end %>add_index :users, :reset_password_token, :unique => true
-    add_index :users, :remember_token, :unique => true
     add_index :users, :confirmation_token, :unique => true
     add_index :users, :unlock_token, :unique => true
 
@@ -93,10 +88,6 @@ class AddAuthkitFieldsToUsers < ActiveRecord::Migration
     drop_column :users, :reset_password_token
     drop_column :users, :reset_password_created_at
 
-    # Remember
-    drop_column :users, :remember_token
-    drop_column :users, :remember_token_created_at
-
     # Confirmation
     drop_column :users, :confirmation_email
     drop_column :users, :confirmation_token

data/lib/generators/authkit/templates/db/migrate/create_auths.rb

@@ -1,7 +1,7 @@
 # Generated by Authkit.
 #
 # Create an auths table for managing OAuth authentication.
-class CreateAuths < ActiveRecord::Migration
+class CreateAuths < ActiveRecord::Migration[5.0]
   def self.up
     create_table :auths do |t|
       t.integer  :user_id
@@ -14,8 +14,12 @@ class CreateAuths < ActiveRecord::Migration
       t.string   :refresh_token
       t.string   :secret_token
       t.text     :env
-      t.timestamps
+
+      t.timestamps null: false
     end
+
+    add_index :auths, :user_id
+    add_index :auths, [:provider, :uid]
   end
 
   def self.down

data/lib/generators/authkit/templates/db/migrate/create_avatars.rb

@@ -2,7 +2,7 @@
 #
 # Create an avatars table for managing user profile images
 #
-class CreateAvatars < ActiveRecord::Migration
+class CreateAvatars < ActiveRecord::Migration[5.0]
   def self.up
     create_table :avatars do |t|
       t.integer  :user_id
@@ -17,7 +17,8 @@ class CreateAvatars < ActiveRecord::Migration
       t.datetime :attachment_updated_at
       t.boolean  :attachment_importing, default: false
       t.datetime :attachment_uploaded_at
-      t.timestamps
+
+      t.timestamps null: false
     end
   end
 

data/lib/generators/authkit/templates/db/migrate/create_user_sessions.rb

@@ -0,0 +1,27 @@
+# Generated by Authkit.
+#
+# Create an user_sessions table for managing user logins.
+class CreateUserSessions < ActiveRecord::Migration[5.0]
+  def self.up
+    create_table :user_sessions do |t|
+      t.integer  :user_id
+      t.datetime :accessed_at
+      t.datetime :revoked_at
+      t.datetime :logged_out_at
+      t.datetime :sudo_enabled_at
+      t.string   :ip
+      t.string   :user_agent
+      t.string   :remember_token
+
+      t.timestamps null: false
+    end
+
+    add_index :user_sessions, :remember_token, :unique => true
+    add_index :user_sessions, [:accessed_at, :revoked_at, :logged_out_at], :name => 'index_user_sessions_active'
+    add_index :user_sessions, :user_id
+  end
+
+  def self.down
+    drop_table :user_sessions
+  end
+end

data/lib/generators/authkit/templates/db/migrate/create_users.rb

@@ -4,10 +4,10 @@
 # the authentication are created in the AddAuthkitFieldsToUsers
 # migration.
 #
-class CreateUsers < ActiveRecord::Migration
+class CreateUsers < ActiveRecord::Migration[5.0]
   def self.up
     create_table :users do |t|
-      t.timestamps
+      t.timestamps null: false
     end
   end
 

data/lib/generators/authkit/templates/spec/controllers/application_controller_spec.rb

@@ -1,16 +1,17 @@
 require 'rails_helper'
 
-describe ApplicationController do
-  let(:user) { create(:user) }
-  let(:logged_in_session) { { user_id: user.id } }
-  let(:unknown_session) { { user_id: user.id + 1000000 } }
+RSpec.describe ApplicationController do
+  let(:user_session) { create(:user_session) }
+  let(:user) { user_session.user }
+  let(:logged_in_session) { { user_session_id: user_session.id } }
+  let(:unknown_session) { { user_session_id: user_session.id + 1000000 } }
 
   before(:each) do
     user
   end
 
   controller do
-    before_filter :require_login, only: [:index]
+    before_action :require_login, only: [:index]
 
     def new
       head :ok
@@ -30,46 +31,33 @@ describe ApplicationController do
       get :new
       expect(controller.send(:current_user)).to be_nil
     end
+  end
 
-    it "does not perform multiple finds" do
-      where = double(first: nil)
-      expect(User).to receive(:where).and_return(where)
-      get :new, {}, unknown_session
-      expect(controller.send(:current_user)).to be_nil
+  describe "current_user_session" do
+    it "returns nil if there is no current user session" do
+      get :new
+      expect(controller.send(:current_user_session)).to be_nil
     end
 
-    it "finds the current user in the session" do
-      get :new, {}, logged_in_session
-      expect(controller.send(:current_user)).to eq(user)
+    it "finds the current user session in the session" do
+      get :new, session: logged_in_session
+      expect(controller.send(:current_user_session)).to eq(user_session)
     end
 
     it "finds the current user from the remember cookie" do
-      user.save
-      user.set_remember_token
-      cookies.signed[:remember] = user.remember_token
-      get :index
-      expect(controller.send(:current_user)).to eq(user)
-    end
-
-    it "doesn't find the current user from the remember cookie if it is expired" do
-      # Setup expired token
-      user.set_remember_token
-      user.remember_token_created_at = 1.year.ago
-      user.save
-
-      cookies.signed[:remember] = user.remember_token
+      cookies.signed[:remember] = user_session.remember_token
       get :index
-      expect(controller.send(:current_user)).to be_nil
+      expect(controller.send(:current_user_session)).to eq(user_session)
     end
 
     it "sets the time zone" do
       expect_any_instance_of(User).to receive(:time_zone).and_return("Pacific Time (US & Canada)")
-      get :index, {}, logged_in_session
+      get :index, session: logged_in_session
       expect(Time.zone.name).to eq("Pacific Time (US & Canada)")
     end
 
     it "has a logged in helper method" do
-      get :new, {}, logged_in_session
+      get :new, session: logged_in_session
       expect(controller.send(:logged_in?)).to eq(true)
     end
   end
@@ -89,30 +77,30 @@ describe ApplicationController do
 
   describe "when requiring a user" do
     it "allows access if there is a user" do
-      get :index, {}, logged_in_session
+      get :index, session: logged_in_session
       expect(response).to be_success
     end
 
     it "stores the return path" do
-      get :index, {}
+      get :index
       expect(session[:return_url]).to eq("/anonymous")
     end
 
     describe "when responding to html" do
       it "sets the flash message" do
-        get :index, {}
+        get :index
         expect(flash).to_not be_empty
       end
 
       it "redirecs the user to login" do
-        get :index, {}
+        get :index
         expect(response).to be_redirect
       end
     end
 
     describe "when responding to json" do
       it "returns a forbidden status" do
-        get :index, {format: :json}
+        get :index, params: { format: :json }
         expect(response.code).to eq("403")
       end
     end
@@ -125,17 +113,22 @@ describe ApplicationController do
       controller.send(:login, user)
     end
 
+    it "creates a session" do
+      expect {
+        get :new
+        controller.send(:login, user, true)
+      }.to change(UserSession, :count).by(1)
+    end
+
     it "remembers the user using a token and cookie" do
       get :new
       expect(controller).to receive(:set_remember_cookie)
-      expect(user).to receive(:set_remember_token)
       controller.send(:login, user, true)
     end
 
     it "does not remember the user using a token and cookie when not requested" do
       get :new
       expect(controller).to_not receive(:set_remember_cookie)
-      expect(user).to_not receive(:set_remember_token)
       controller.send(:login, user, false)
     end
 
@@ -148,33 +141,33 @@ describe ApplicationController do
 
   describe "logout" do
     it "resets the session" do
-      get :index, {}, logged_in_session
+      get :index, session: logged_in_session
       expect(controller).to receive(:reset_session)
       controller.send(:logout)
     end
 
-    it "logs the user out" do
-      get :index, {}, logged_in_session
+    it "marks the user session as logged out" do
+      get :index, session: logged_in_session
       controller.send(:logout)
-      expect(controller.send(:current_user)).to be_nil
+      expect(user_session.reload).to be_logged_out
     end
 
-    it "clears the remember token" do
-      get :index, {}, logged_in_session
-      expect_any_instance_of(User).to receive(:clear_remember_token).and_return(:true)
+    it "logs the user out" do
+      get :index, session: logged_in_session
       controller.send(:logout)
+      expect(controller.send(:current_user)).to be_nil
     end
   end
 
   it "sets the remember cookie" do
     request.env["action_dispatch.secret_token"] = "SECRET"
     get :new
-    controller.send(:login, user)
-    expect(cookies.permanent.signed[:remember]).to eq(user.remember_token)
+    new_session = controller.send(:login, user, true)
+    expect(controller.send(:cookies).permanent.signed[:remember]).to eq(new_session.remember_token)
   end
 
   it "redirects to a stored session location if present" do
-    get :new, {}, {return_url: "/return"}
+    get :new, session: { return_url: "/return" }
     expect(controller).to receive(:redirect_to).with("/return").and_return(true)
     controller.send(:redirect_back_or_default)
   end

data/lib/generators/authkit/templates/spec/controllers/email_confirmation_controller_spec.rb

@@ -1,6 +1,6 @@
 require 'rails_helper'
 
-describe EmailConfirmationController do
+RSpec.describe EmailConfirmationController do
   render_views
 
   let(:user) { build(:user) }
@@ -9,7 +9,7 @@ describe EmailConfirmationController do
   describe "GET 'show'" do
     it "requires a login" do
       allow(controller).to receive(:current_user).and_return(nil)
-      get 'show', token: token
+      get 'show', params: { token: token }
       expect(response).to be_redirect
       expect(flash[:error]).to_not be_empty
     end
@@ -17,7 +17,7 @@ describe EmailConfirmationController do
     it "requires a valid token" do
       user.confirmation_token = "OTHER TOKEN"
       allow(controller).to receive(:current_user).and_return(user)
-      get 'show', token: token
+      get 'show', params: { token: token }
       expect(response).to be_redirect
       expect(flash[:error]).to_not be_empty
     end
@@ -26,7 +26,7 @@ describe EmailConfirmationController do
       user.confirmation_token = token
       user.confirmation_token_created_at = 4.days.ago
       allow(controller).to receive(:current_user).and_return(user)
-      get 'show', token: token
+      get 'show', params: { token: token }
       expect(response).to be_redirect
       expect(flash[:error]).to_not be_empty
     end
@@ -42,27 +42,27 @@ describe EmailConfirmationController do
       describe "when the confirmation is successful" do
         it "confirms the user email" do
           expect(user).to receive(:email_confirmed).and_return(true)
-          get 'show', token: token
+          get 'show', params: { token: token }
         end
 
         it "does not sign the user in" do
           expect(controller).to_not receive(:login)
-          get 'show', token: token
+          get 'show', params: { token: token }
         end
 
         it "sets the flash" do
-          get 'show', token: token
+          get 'show', params: { token: token }
           expect(flash[:notice]).to_not be_nil
         end
 
         it "redirects the user" do
-          get 'show', token: token
+          get 'show', params: { token: token }
           expect(response).to be_redirect
         end
 
         describe "from json" do
           it "returns http success" do
-            get 'show', token: token, format: 'json'
+            get 'show', params: { token: token, format: 'json' }
             expect(response).to be_success
           end
         end
@@ -76,7 +76,7 @@ describe EmailConfirmationController do
 
         it "handles invalid confirmations" do
           expect(user).to receive(:email_confirmed).and_return(false)
-          get 'show', token: token
+          get 'show', params: { token: token }
           expect(flash[:error]).to_not be_empty
           expect(response).to be_redirect
         end
@@ -84,7 +84,7 @@ describe EmailConfirmationController do
         describe "from json" do
           it "returns a 422" do
             expect(user).to receive(:email_confirmed).and_return(false)
-            get 'show', token: token, format: 'json'
+            get 'show', params: { token: token, format: 'json' }
             expect(response.code).to eq('422')
           end
         end