authtrail 0.3.0 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e54d90f6f3527e7f9f37276deda00150f33b472069b97bd66b0d27f0a3a44c6f
-  data.tar.gz: aa1cd0b4fc8e01590efbd51cd872a57a3ef6e984c844166f261ebd01230a771a
+  metadata.gz: ff58207c013a0181500aea1886029896cae2af4fe0cf8dbf65bd1545e0637f4a
+  data.tar.gz: f2b530b002daaa2ca52f2dbf471199e9fcfc13c04c9c821df139b9e6e909eecc
 SHA512:
-  metadata.gz: b640a2f9705502d2405fc15d1bf4bf6082cac388addef26b3592514af117508db8b5f35306f5bd93555472f25e58a86b42d1ade276083bf4b4c4db6dea284ec8
-  data.tar.gz: 80475eaba75303cffdf3313706a3a58e73718804414002559780a55a1041616de61da596f9b67f79b57e71998e9c27a8c590faefdb0febaaa9834fd74b897a55
+  metadata.gz: 94ec2b6986bef058156630c1dccf900c366f1b9c2aaf84703c5372370dbf305af698c554c9e1b5f0ca64d144cd934c065499ac745c711a98d8dfe33c3138ed5b
+  data.tar.gz: ae73465fd479199a31cabed9a87a6afdf6acca838de32c8b329f2da061709229046812584dfce1a9a8fdb4650834a5b2a4f2928ac7ea0d6e0cbf50da98e2c4c2

data/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.4.2 (2021-12-13)
+
+- Added experimental support for Active Record encryption
+- Fixed error with Rails 7 rc1
+
+## 0.4.1 (2021-08-14)
+
+- Improved error message when `geocoder` gem not installed
+
+## 0.4.0 (2021-08-13)
+
+- Disabled geocoding by default (this was already the case for new installations with 0.3.0+)
+- Made the `geocoder` gem an optional dependency
+- Added `country_code` to geocoding
+
+## 0.3.1 (2021-03-03)
+
+- Added `--lockbox` option to install generator
+
 ## 0.3.0 (2021-03-01)
 
 - Disabled geocoding by default for new installations

data/README.md

@@ -2,6 +2,8 @@
 
 Track Devise login activity
 
+**AuthTrail 0.4.0 was recently released** - see [how to upgrade](#upgrading)
+
 :tangerine: Battle-tested at [Instacart](https://www.instacart.com/opensource)
 
 [![Build Status](https://github.com/ankane/authtrail/workflows/build/badge.svg?branch=master)](https://github.com/ankane/authtrail/actions)
@@ -14,13 +16,29 @@ Add this line to your application’s Gemfile:
 gem 'authtrail'
 ```
 
-And run:
+To encrypt email and IP addresses with Lockbox, install [Lockbox](https://github.com/ankane/lockbox) and [Blind Index](https://github.com/ankane/blind_index) and run:
 
 ```sh
-rails generate authtrail:install
+rails generate authtrail:install --encryption=lockbox
 rails db:migrate
 ```
 
+To use Active Record encryption (Rails 7+, experimental, unreleased), run:
+
+```sh
+rails generate authtrail:install --encryption=activerecord
+rails db:migrate
+```
+
+If you prefer not to encrypt data, run:
+
+```sh
+rails generate authtrail:install --encryption=none
+rails db:migrate
+```
+
+To enable geocoding, see the [Geocoding section](#geocoding).
+
 ## How It Works
 
 A `LoginActivity` record is created every time a user tries to login. You can then use this information to detect suspicious behavior. Data includes:
@@ -95,9 +113,15 @@ The `LoginActivity` model uses a [polymorphic association](https://guides.rubyon
 
 ## Geocoding
 
-AuthTrail uses [Geocoder](https://github.com/alexreisner/geocoder) for geocoding. We recommend configuring [local geocoding](#local-geocoding) so IP addresses are not sent to a 3rd party service. If you do use a 3rd party service and adhere to GDPR, be sure to add it to your subprocessor list.
+AuthTrail uses [Geocoder](https://github.com/alexreisner/geocoder) for geocoding. We recommend configuring [local geocoding](#local-geocoding) or [load balancer geocoding](#load-balancer-geocoding) so IP addresses are not sent to a 3rd party service. If you do use a 3rd party service and adhere to GDPR, be sure to add it to your subprocessor list.
+
+To enable geocoding, add this line to your application’s Gemfile:
 
-To enable geocoding, update `config/initializers/authtrail.rb`:
+```ruby
+gem 'geocoder'
+```
+
+And update `config/initializers/authtrail.rb`:
 
 ```ruby
 AuthTrail.geocode = true
@@ -146,17 +170,40 @@ Geocoder.configure(
 )
 ```
 
-## Data Protection
+### Load Balancer Geocoding
+
+Some load balancers can add geocoding information to request headers.
 
-Protect the privacy of your users by encrypting fields that contain personal data, such as `identity` and `ip`. [Lockbox](https://github.com/ankane/lockbox) is great for this. Use [Blind Index](https://github.com/ankane/blind_index) so you can still query the fields.
+- [nginx](https://nginx.org/en/docs/http/ngx_http_geoip_module.html)
+- [Google Cloud](https://cloud.google.com/load-balancing/docs/custom-headers)
+- [Cloudflare](https://support.cloudflare.com/hc/en-us/articles/200168236-Configuring-Cloudflare-IP-Geolocation)
 
 ```ruby
-class LoginActivity < ApplicationRecord
-  encrypts :identity, :ip
-  blind_index :identity, :ip
+AuthTrail.geocode = false
+
+AuthTrail.transform_method = lambda do |data, request|
+  data[:country] = request.headers["<country-header>"]
+  data[:region] = request.headers["<region-header>"]
+  data[:city] = request.headers["<city-header>"]
 end
 ```
 
+Check out [this example](https://github.com/ankane/authtrail/issues/40)
+
+## Data Retention
+
+Delete older data with:
+
+```ruby
+LoginActivity.where("created_at < ?", 2.years.ago).in_batches.delete_all
+```
+
+Delete data for a specific user with:
+
+```ruby
+LoginActivity.where(user_id: 1, user_type: "User").in_batches.delete_all
+```
+
 ## Other Notes
 
 We recommend using this in addition to Devise’s `Lockable` module and [Rack::Attack](https://github.com/kickstarter/rack-attack).
@@ -165,6 +212,18 @@ Check out [Hardening Devise](https://ankane.org/hardening-devise) and [Secure Ra
 
 ## Upgrading
 
+### 0.4.0
+
+There are two notable changes to geocoding:
+
+1. Geocoding is now disabled by default (this was already the case for new installations with 0.3.0+). Check out the instructions for [how to enable it](#geocoding) (you may need to create `config/initializers/authtrail.rb`).
+
+2. The `geocoder` gem is now an optional dependency. To use geocoding, add it to your Gemfile:
+
+  ```ruby
+  gem 'geocoder'
+  ```
+
 ### 0.2.0
 
 To store latitude and longitude, create a migration with:

data/app/jobs/auth_trail/geocode_job.rb

@@ -8,6 +8,8 @@ module AuthTrail
       result =
         begin
           Geocoder.search(login_activity.ip).first
+        rescue NameError
+          raise "Add the geocoder gem to your Gemfile to use geocoding"
         rescue => e
           Rails.logger.info "Geocode failed: #{e.message}"
           nil
@@ -18,6 +20,7 @@ module AuthTrail
           city: result.try(:city),
           region: result.try(:state),
           country: result.try(:country),
+          country_code: result.try(:country_code),
           latitude: result.try(:latitude),
           longitude: result.try(:longitude)
         }

data/lib/auth_trail/engine.rb

@@ -1,3 +1,4 @@
+require "active_support"
 require "rails/engine"
 
 module AuthTrail

data/lib/auth_trail/version.rb

@@ -1,3 +1,3 @@
 module AuthTrail
-  VERSION = "0.3.0"
+  VERSION = "0.4.2"
 end

data/lib/authtrail.rb

@@ -1,5 +1,4 @@
 # dependencies
-require "geocoder"
 require "warden"
 
 # modules
@@ -11,7 +10,7 @@ module AuthTrail
   class << self
     attr_accessor :exclude_method, :geocode, :track_method, :identity_method, :job_queue, :transform_method
   end
-  self.geocode = true
+  self.geocode = false
   self.identity_method = lambda do |request, opts, user|
     if user
       user.try(:email)

data/lib/generators/authtrail/install_generator.rb

@@ -6,7 +6,12 @@ module Authtrail
       include ActiveRecord::Generators::Migration
       source_root File.join(__dir__, "templates")
 
+      class_option :encryption, type: :string
+      # deprecated
+      class_option :lockbox, type: :boolean
+
       def copy_migration
+        encryption # ensure valid
         migration_template "login_activities_migration.rb", "db/migrate/create_login_activities.rb", migration_version: migration_version
       end
 
@@ -15,12 +20,56 @@ module Authtrail
       end
 
       def generate_model
-        template "login_activity_model.rb", "app/models/login_activity.rb"
+        case encryption
+        when "lockbox"
+          template "model_lockbox.rb", "app/models/login_activity.rb"
+        when "activerecord"
+          template "model_activerecord.rb", "app/models/login_activity.rb"
+        else
+          template "model_none.rb", "app/models/login_activity.rb"
+        end
       end
 
       def migration_version
         "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
       end
+
+      def identity_column
+        case encryption
+        when "lockbox"
+          "t.text :identity_ciphertext\n      t.string :identity_bidx, index: true"
+        else
+          # TODO add limit: 510 for Active Record encryption + MySQL?
+          "t.string :identity, index: true"
+        end
+      end
+
+      def ip_column
+        case encryption
+        when "lockbox"
+          "t.text :ip_ciphertext\n      t.string :ip_bidx, index: true"
+        else
+          # TODO add limit: 510 for Active Record encryption + MySQL?
+          "t.string :ip, index: true"
+        end
+      end
+
+      # TODO remove default
+      def encryption
+        case options[:encryption]
+        when "lockbox", "activerecord", "none"
+          options[:encryption]
+        when nil
+          if options[:lockbox]
+            # TODO deprecation warning
+            "lockbox"
+          else
+            "none"
+          end
+        else
+          abort "Error: encryption must be lockbox, activerecord, or none"
+        end
+      end
     end
   end
 end

data/lib/generators/authtrail/templates/initializer.rb.tt

@@ -1,5 +1,5 @@
-# set to true for geocoding
-# we recommend configuring local geocoding first
+# set to true for geocoding (and add the geocoder gem to your Gemfile)
+# we recommend configuring local geocoding as well
 # see https://github.com/ankane/authtrail#geocoding
 AuthTrail.geocode = false
 

data/lib/generators/authtrail/templates/login_activities_migration.rb.tt

@@ -3,12 +3,12 @@ class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version
     create_table :login_activities do |t|
       t.string :scope
       t.string :strategy
-      t.string :identity
+      <%= identity_column %>
       t.boolean :success
       t.string :failure_reason
       t.references :user, polymorphic: true
       t.string :context
-      t.string :ip
+      <%= ip_column %>
       t.text :user_agent
       t.text :referrer
       t.string :city
@@ -18,8 +18,5 @@ class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version
       t.float :longitude
       t.datetime :created_at
     end
-
-    add_index :login_activities, :identity
-    add_index :login_activities, :ip
   end
 end

data/lib/generators/authtrail/templates/model_activerecord.rb.tt

@@ -0,0 +1,14 @@
+class LoginActivity < ApplicationRecord
+  belongs_to :user, polymorphic: true, optional: true
+
+  encrypts :identity, deterministic: true
+  encrypts :ip, deterministic: true
+
+  before_save :reduce_precision
+
+  # reduce precision to city level to protect IP
+  def reduce_precision
+    self.latitude = latitude&.round(1) if try(:latitude_changed?)
+    self.longitude = longitude&.round(1) if try(:longitude_changed?)
+  end
+end

data/lib/generators/authtrail/templates/model_lockbox.rb.tt

@@ -0,0 +1,14 @@
+class LoginActivity < ApplicationRecord
+  belongs_to :user, polymorphic: true, optional: true
+
+  encrypts :identity, :ip
+  blind_index :identity, :ip
+
+  before_save :reduce_precision
+
+  # reduce precision to city level to protect IP
+  def reduce_precision
+    self.latitude = latitude&.round(1) if try(:latitude_changed?)
+    self.longitude = longitude&.round(1) if try(:longitude_changed?)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authtrail
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.2
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-02 00:00:00.000000000 Z
+date: 2021-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -52,20 +52,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: geocoder
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description:
 email: andrew@ankane.org
 executables: []
@@ -83,7 +69,9 @@ files:
 - lib/generators/authtrail/install_generator.rb
 - lib/generators/authtrail/templates/initializer.rb.tt
 - lib/generators/authtrail/templates/login_activities_migration.rb.tt
-- lib/generators/authtrail/templates/login_activity_model.rb.tt
+- lib/generators/authtrail/templates/model_activerecord.rb.tt
+- lib/generators/authtrail/templates/model_lockbox.rb.tt
+- lib/generators/authtrail/templates/model_none.rb.tt
 homepage: https://github.com/ankane/authtrail
 licenses:
 - MIT
@@ -103,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: Track Devise login activity