avocado 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e265345c4e35e1dd2caed0c61da1298f12767aac67bf9e87b92433d47866375b
-  data.tar.gz: 1253d00e053907caa9d78cd7f8667a695aae55853fbb6db94b45bbcd1845da10
+  metadata.gz: 393630ca933c51e34b00e2fe86bbcfb5caa4ea7764fc34882c21ef4f604bb938
+  data.tar.gz: bfc5362c53ecee86c6369a1318c68fddf2bbd7e457287cb5b9c6b57970ded8aa
 SHA512:
-  metadata.gz: 2fb300cf06c7c67fc9ecfea196bd23b770482f2b765d9438fb2ee24f193942565db6d470a75bce99bb1b016b94f355ab9e4b6f6a5a19bb0277d79c7bb06c247d
-  data.tar.gz: 9437dfe9000245f75089c3705a3bf4527705ceccab38a6760381d57dd13fda74881eb14db25b8ca33f26aee67fa6fd30ce42632a24541bcb1c672e6ea9eb80b5
+  metadata.gz: efbe7bfe5b298b207e65e7958e3167be69d6612bd50e8a4a880483ec1a1d9e2c30d45fdae86e0516d34bb00442c0cd16416ad77a00a50ac31c707295d1538709
+  data.tar.gz: b96ba925c445b78c92c560a01c395697dab736363a847c766e310879ded4ad58b97b7dae052a73ed1a267f7315bedd171d9f0097978760cb3de6a1e9b3c02969

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 ## [Unreleased]
 
+## [0.6.0] - 2023-07-25
+
+- Change affirmations and verifications to require user action
+- Use session token instead of id for signed cookie value
+- Add migration generators
+
+## [0.5.0] - 2023-07-21
+
+- Add controller for "passwordless" email-link sign-in
+- Add event class to log user auth events
+- Add user-facing email and password edit pages
+- Add various event logging callbacks
+- Sign out all non current sessions when password changes
+
 ## [0.4.0] - 2023-07-19
 
 - Convert the `Avocado::Mailer` module into a class

data/README.md

@@ -1,6 +1,6 @@
-# Avocado
+# 🥑
 
-A collection of authentication tools for use in [Rails] 7.1+ applications.
+Authentication library for [Rails] 7.1+ applications.
 
 ## Installation
 
@@ -10,45 +10,13 @@ Add to the application's Gemfile by executing:
 
 ## Usage
 
-If you are nervous about using Rails features directly, preferring to consume
-such features via a packaged gem, you can include some Avocado modules into your
-application to get authentication functionality.
-
-As a prerequisite, you should have a database schema with columns that match the
-users and sessions tables from [the demo app schema]. It's ok to have more
-columns, but you need at least what is shown there.
-
-With that set, include the modules into your classes:
-
-```ruby
-class User < ApplicationRecord
-  include Avocado::User
-end
-
-class Session < ApplicationRecord
-  include Avocado::Session
-end
-
-class ApplicationController < ActionController::Base
-  include Avocado::Authentication
-end
-```
-
-This will enable a few things:
-
-- Models will get validations, associations, and normalizations
-- Rails built-in `has_secure_password` is called within `User`
-- A mailer with signed token generators is created
-- Controllers and Routes for sign up, sign in, password reset, email
-  verification, etc
-
-The `spec/internal` app within this repo has some example usage.
+Read the [documentation] for more details or the [wiki] for background.
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run
-`rake spec` to run the tests. You can also run `bin/console` for an interactive
-prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Use
+`bin/rspec` to run the full spec suite and `bin/standardrb` to run the linter.
+Running `bin/rake` will run specs & linter.
 
 ## Contributing
 
@@ -58,7 +26,8 @@ Bug reports and pull requests are welcome on [GitHub].
 
 The gem is available as open source under the terms of the [MIT License].
 
+[documentation]: https://github.com/tcuwp/avocado/blob/main/docs/USAGE.md
 [GitHub]: https://github.com/tcuwp/avocado
 [MIT License]: https://opensource.org/licenses/MIT
 [Rails]: https://github.com/rails/rails
-[the demo app schema]: https://github.com/tcuwp/avocado/blob/main/spec/internal/db/schema.rb
+[wiki]: https://github.com/tcuwp/avocado/wiki

data/app/controllers/avocado/affirmations_controller.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Avocado
+  class AffirmationsController < BaseController
+    skip_before_action :authenticate
+
+    before_action :set_user, only: %i[edit update]
+    before_action :verify_user, only: :create
+
+    def new
+    end
+
+    def create
+      send_affirmation_email
+      redirect_to new_session_path, notice: "Check your email for sign in instructions"
+    end
+
+    def edit
+    end
+
+    def update
+      sign_in(@user)
+      redirect_to(root_path, notice: "Signed in successfully")
+    end
+
+    private
+
+    def set_user
+      @user = user_from_signed_affirmation_token
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      redirect_to new_affirmation_path, alert: "That sign in link is invalid"
+    end
+
+    def user_from_signed_affirmation_token
+      ::User.find_by_token_for!(:email_affirmation, params[:id])
+    end
+
+    def verify_user
+      unless requested_verified_user
+        redirect_to new_affirmation_path, alert: "You can't sign in until you verify your email"
+      end
+    end
+
+    def send_affirmation_email
+      mailer_for(requested_verified_user)
+        .email_affirmation
+        .deliver_later
+    end
+  end
+end

data/app/controllers/avocado/base_controller.rb

@@ -2,8 +2,30 @@
 
 module Avocado
   class BaseController < ApplicationController
+    FINDER_PARAMETERS = %i[email]
+
     private
 
+    def verify_password_challenge
+      unless current_user.authenticate(params_password_challenge)
+        redirect_back alert: "Password challenge failed.", fallback_location: root_path
+      end
+    end
+
+    def params_password_challenge
+      params.dig(:user, :password_challenge)
+    end
+
+    def requested_verified_user
+      ::User.verified.find_by(email: finder_parameters[:email])
+    end
+
+    def finder_parameters
+      params
+        .require(:user)
+        .permit(FINDER_PARAMETERS)
+    end
+
     def mailer_for(user)
       Avocado::Mailer.with(user: user)
     end

data/app/controllers/avocado/emails_controller.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Avocado
+  class EmailsController < BaseController
+    UPDATE_PARAMETERS = %i[email]
+
+    before_action :set_user
+    before_action :verify_password_challenge, only: :update
+
+    def edit
+    end
+
+    def update
+      if @user.update(update_parameters)
+        process_email_update
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    def set_user
+      @user = current_user
+    end
+
+    def update_parameters
+      params
+        .require(:user)
+        .permit(UPDATE_PARAMETERS)
+    end
+
+    def process_email_update
+      if @user.email_previously_changed?
+        resend_email_verification
+        redirect_to root_path, notice: "Your email has been changed"
+      else
+        redirect_to root_path
+      end
+    end
+
+    def resend_email_verification
+      mailer_for(@user)
+        .email_verification
+        .deliver_later
+    end
+  end
+end

data/app/controllers/avocado/events_controller.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Avocado
+  class EventsController < BaseController
+    def index
+      @events = current_user.events.newest_first
+    end
+  end
+end

data/app/controllers/avocado/passwords_controller.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Avocado
+  class PasswordsController < BaseController
+    UPDATE_PARAMETERS = %i[password password_confirmation password_challenge]
+
+    before_action :set_user
+    before_action :verify_password_challenge, only: :update
+
+    def edit
+    end
+
+    def update
+      if @user.update(update_parameters)
+        redirect_to root_path, notice: "Your password has been changed"
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    def set_user
+      @user = current_user
+    end
+
+    def update_parameters
+      params
+        .require(:user)
+        .permit(UPDATE_PARAMETERS)
+        .with_defaults(password_challenge: "")
+    end
+  end
+end

data/app/controllers/avocado/recoveries_controller.rb

@@ -2,7 +2,7 @@
 
 module Avocado
   class RecoveriesController < BaseController
-    PERMITTED_PARAMS = %i[password password_confirmation]
+    UPDATE_PARAMETERS = %i[password password_confirmation]
 
     skip_before_action :authenticate
 
@@ -12,16 +12,16 @@ module Avocado
     def new
     end
 
-    def edit
-    end
-
     def create
       send_password_reset_email
       redirect_to new_session_path, notice: "Check your email for reset instructions."
     end
 
+    def edit
+    end
+
     def update
-      if @user.update(user_params)
+      if @user.update(update_parameters)
         redirect_to new_session_path, notice: "Password reset successfully. Please sign in."
       else
         render :edit, status: :unprocessable_entity
@@ -41,23 +41,19 @@ module Avocado
     end
 
     def verify_user
-      unless user_from_params_email
+      unless requested_verified_user
         redirect_to new_recovery_path, alert: "Verify email first before resetting password."
       end
     end
 
-    def user_params
+    def update_parameters
       params
         .require(:user)
-        .permit(PERMITTED_PARAMS)
-    end
-
-    def user_from_params_email
-      ::User.find_by(email: params[:email], verified: true)
+        .permit(UPDATE_PARAMETERS)
     end
 
     def send_password_reset_email
-      mailer_for(user_from_params_email)
+      mailer_for(requested_verified_user)
         .password_reset
         .deliver_later
     end

data/app/controllers/avocado/registrations_controller.rb

@@ -2,7 +2,7 @@
 
 module Avocado
   class RegistrationsController < BaseController
-    PERMITTED_PARAMS = %i[email password password_confirmation]
+    INITIALIZATION_PARAMETERS = %i[email password password_confirmation]
 
     skip_before_action :authenticate
 
@@ -11,7 +11,7 @@ module Avocado
     end
 
     def create
-      @user = ::User.new(user_params)
+      @user = ::User.new(initialization_parameters)
 
       if @user.save
         sign_in(@user)
@@ -25,10 +25,10 @@ module Avocado
 
     private
 
-    def user_params
+    def initialization_parameters
       params
         .require(:user)
-        .permit(PERMITTED_PARAMS)
+        .permit(INITIALIZATION_PARAMETERS)
     end
 
     def send_email_verification

data/app/controllers/avocado/sessions_controller.rb

@@ -2,7 +2,7 @@
 
 module Avocado
   class SessionsController < BaseController
-    PERMITTED_PARAMS = %i[email password]
+    AUTHENTICATION_PARAMETERS = %i[email password]
 
     skip_before_action :authenticate, only: %i[new create]
 
@@ -33,15 +33,15 @@ module Avocado
 
     private
 
-    def session_params
+    def authentication_parameters
       params
         .require(:session)
-        .permit(PERMITTED_PARAMS)
+        .permit(AUTHENTICATION_PARAMETERS)
         .with_defaults(email: "", password: "")
     end
 
     def authenticated_user
-      @_authenticated_user ||= ::User.authenticate_by(session_params)
+      @_authenticated_user ||= ::User.authenticate_by(authentication_parameters)
     end
 
     def verify_authentication_attempt

data/app/controllers/avocado/verifications_controller.rb

@@ -2,12 +2,15 @@
 
 module Avocado
   class VerificationsController < BaseController
-    with_options only: :show do
+    with_options only: %i[edit update] do
       skip_before_action :authenticate
       before_action :set_user
     end
 
-    def show
+    def edit
+    end
+
+    def update
       @user.update! verified: true
       redirect_to root_path, notice: "Email address verified."
     end

data/app/views/avocado/affirmations/edit.html.erb

@@ -0,0 +1,7 @@
+<h2>
+  Sign in without password
+</h2>
+
+<%= form_with url: affirmation_path(id: params[:id]), method: :patch do |form| %>
+  <%= form.button "Submit", name: nil %>
+<% end -%>

data/app/views/avocado/affirmations/new.html.erb

@@ -0,0 +1,14 @@
+<h2>
+  Sign in without password
+</h2>
+
+<p>
+  <%= link_to "Reset your password", new_recovery_path %>
+</p>
+
+<%= form_with url: affirmations_path, scope: :user do |form| %>
+  <%= form.label :email %>
+  <%= form.email_field :email, autofocus: true, autocomplete: "email", required: true %>
+
+  <%= form.button "Submit", name: nil %>
+<% end -%>

data/app/views/avocado/emails/edit.html.erb

@@ -0,0 +1,20 @@
+<h2>
+  Change your email address
+</h2>
+
+<% if current_user.verified? %>
+  <p>Your email address is verified.</p>
+<% else %>
+  <p>Your email address is not verified. Check your email and follow the instructions to confirm it's your email address.</p>
+  <p><%= button_to "Re-send verification email", verifications_path %></p>
+<% end %>
+
+<%= form_with model: @user, url: email_path, method: :patch do |form| %>
+  <%= form.label :email %>
+  <%= form.email_field :email, autocomplete: "email", required: true %>
+
+  <%= form.label :password_challenge, "Current password" %>
+  <%= form.password_field :password_challenge, autocomplete: "current-password", required: true %>
+
+  <%= form.button "Submit", name: nil %>
+<% end %>

data/app/views/avocado/events/_event.html.erb

@@ -0,0 +1,6 @@
+<tr id="<%= dom_id event %>">
+  <td><%= event.action %></td>
+  <td><%= event.created_at %></td>
+  <td><%= truncate event.user_agent %></td>
+  <td><%= event.ip_address %></td>
+</tr>

data/app/views/avocado/events/index.html.erb

@@ -0,0 +1,17 @@
+<h2>
+  Events
+</h2>
+
+<table id="events">
+  <thead>
+    <tr>
+      <th scope="col">Action</th>
+      <th scope="col">Created</th>
+      <th scope="col">User Agent</th>
+      <th scope="col">IP Address</th>
+    </tr>
+  </thead>
+  <tbody>
+    <%= render @events %>
+  </tbody>
+</table>

data/app/views/avocado/mailer/email_affirmation.text.erb

@@ -1 +1,3 @@
-Email affirmation email
+Sign in by following this link:
+
+<%= edit_affirmation_url(id: @signed_id) %>

data/app/views/avocado/mailer/email_verification.text.erb

@@ -1,3 +1,3 @@
-Email verification email
+Verify your email by following this link:
 
-<%= verification_url(id: @signed_id) %>
+<%= edit_verification_url(id: @signed_id) %>

data/app/views/avocado/mailer/password_reset.text.erb

@@ -1,3 +1,3 @@
-Password reset email
+Reset your password by following this link:
 
 <%= edit_recovery_url(id: @signed_id) %>

data/app/views/avocado/passwords/edit.html.erb

@@ -0,0 +1,16 @@
+<h2>
+  Change your password
+</h2>
+
+<%= form_with model: @user, url: password_path, method: :patch do |form| %>
+  <%= form.label :password_challenge, "Current password" %>
+  <%= form.password_field :password_challenge, autocomplete: "current-password", required: true %>
+
+  <%= form.label :password %>
+  <%= form.password_field :password, autocomplete: "new-password", required: true %>
+
+  <%= form.label :password_confirmation %>
+  <%= form.password_field :password_confirmation, autocomplete: "new-password", required: true %>
+
+  <%= form.button "Submit", name: nil %>
+<% end %>

data/app/views/avocado/recoveries/edit.html.erb

@@ -1,5 +1,5 @@
 <h2>
-  Reset your password
+  Change your password
 </h2>
 
 <p>
@@ -13,5 +13,5 @@
   <%= form.label :password_confirmation %>
   <%= form.password_field :password_confirmation, autocomplete: "new-password", required: true %>
 
-  <%= form.button "Update password", name: nil %>
+  <%= form.button "Submit", name: nil %>
 <% end %>

data/app/views/avocado/recoveries/new.html.erb

@@ -1,14 +1,14 @@
 <h2>
-  Recover your password
+  Reset your password
 </h2>
 
 <p>
   <%= link_to "Sign in to your account", new_session_path %>
 </p>
 
-<%= form_with url: recoveries_path do |form| %>
+<%= form_with url: recoveries_path, scope: :user do |form| %>
   <%= form.label :email %>
   <%= form.email_field :email, autofocus: true, autocomplete: "email", required: true %>
 
-  <%= form.button "Recover", name: nil %>
+  <%= form.button "Submit", name: nil %>
 <% end -%>

data/app/views/avocado/registrations/new.html.erb

@@ -19,5 +19,5 @@
     <%= form.label :password_confirmation %>
     <%= form.password_field :password_confirmation, autocomplete: "new-password", required: true %>
   </div>
-  <%= form.button "Sign up", name: nil %>
+  <%= form.button "Submit", name: nil %>
 <% end %>

data/app/views/avocado/sessions/new.html.erb

@@ -11,5 +11,5 @@
   <%= form.email_field :email, autofocus: true, autocomplete: "email", required: true %>
   <%= form.label :password %>
   <%= form.password_field :password, autocomplete: "current-password", required: true %>
-  <%= form.button "Sign in", name: nil %>
+  <%= form.button "Submit", name: nil %>
 <% end -%>

data/app/views/avocado/verifications/edit.html.erb

@@ -0,0 +1,7 @@
+<h2>
+  Verify your email
+</h2>
+
+<%= form_with url: verification_path(id: params[:id]), method: :patch do |form| %>
+  <%= form.button "Submit", name: nil %>
+<% end -%>

data/config/routes/avocado.rb

@@ -0,0 +1,10 @@
+scope module: :avocado do
+  resource :email, only: %i[edit update]
+  resource :password, only: %i[edit update]
+  resources :affirmations, only: %i[new create edit update]
+  resources :events, only: %i[index]
+  resources :recoveries, only: %i[new create edit update]
+  resources :registrations, only: %i[new create]
+  resources :sessions, only: %i[index new create destroy]
+  resources :verifications, only: %i[create edit update]
+end

data/config/routes//360/237/245/221.rb

@@ -0,0 +1 @@
+avocado.rb

data/docs/USAGE.md

@@ -0,0 +1,155 @@
+# Overview
+
+The 🥑 gem is a [Rails Engine] composed of a mixture of Ruby modules that get
+included into application classes and Ruby classes which will run directly from
+the 🥑 gem itself. The classes are intended to provide good defaults for basic
+scenarios, and can be subclassed and overridden for special cases.
+
+## Requirements
+
+Apps must be running Rails 7.1 or newer. The 🥑 gem uses features like
+`authenticate_by`, `has_secure_password`, `generates_token_for`, and
+`normalizes` which don't exist in earlier versions.
+
+The database schema must have columns that match the `users`, `sessions`, and
+`events` tables from the [demo app schema]. More columns in each table are
+acceptable; the demo is just a minimum. Slight variations (using `uuid` instead
+of `bigint` for example) are harmless, but large departures will break the
+integration.
+
+Run `bin/rails g avocado:migrations` to generate migrations for the tables.
+
+The application must also have:
+
+- An `ApplicationController` base controller class
+- An `ApplicationMailer` base mailer class
+- A `root_path` method (typically generated by application routes)
+
+## Usage
+
+### Models
+
+Include these modules into `ActiveRecord` model classes:
+
+```ruby
+class User < ApplicationRecord
+  include Avocado::User
+end
+
+class Session < ApplicationRecord
+  include Avocado::Session
+end
+
+class Event < ApplicationRecord
+  include Avocado::Event
+end
+```
+
+This will set up some basic associations, validations, callbacks, and
+normalizations for those models.
+
+### Controllers
+
+Add the `Avocado::Authentication` module to the top-level controller:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Avocado::Authentication
+end
+```
+
+### Routes
+
+The 🥑 gem does not add any routes to the application when initialized. To hook
+up the controllers to routes, they must be added to the `config/routes.rb` of
+the application. It's possible to add all of the routes, or just a subset.
+
+Example that defines a root route and also pulls in every feature route:
+
+```ruby
+Rails.application.routes.draw do
+  root to: "records#index"
+  draw(🥑)
+end
+```
+
+Example that adds only the sign-up, sign-in, and sign-out actions:
+
+```ruby
+Rails.application.routes.draw do
+  root to: "records#index"
+  scope module: :avocado do
+    resources :registrations, only: %i[new create]
+    resources :sessions, only: %i[new create destroy]
+  end
+end
+```
+
+## Summary
+
+### Routable controller features
+
+The 🥑 gem will create REST-ful routes that go to the various controllers during
+app initialization.
+
+These external (unauthenticated) features are available:
+
+- `Registrations` -- Fill out new form and create users
+- `Sessions` -- Sign in and sign out features
+- `Recoveries` -- Trigger password reset, click link, confirm
+- `Verifications` -- Email confirmation on account creation or email change
+- `Affirmations` -- Provides a "passwordless" auth via emailed link
+
+These internal (authenticated) features are available:
+
+- `Sessions` -- List active sessions, click to destroy untrusted ones
+- `Events` -- List view of user activity audit log
+- `Passwords` -- Edit and update user password
+- `Emails` -- Edit and update user email
+
+Linking to any of these internal pages is optional. Apps can use them as-is,
+override their views, or even ignore them entirely and make local versions.
+
+### Mailers
+
+There is an `Avocado::Mailer` which gets called to send emails. The mailer views
+here are very basic, and should be overriden within applications. Place views
+within `app/views/avocado/mailer/` to make this happen.
+
+### Before actions
+
+There is an `authenticate` method installed as a default `before_action`. Any
+actions which do not need to be authenticated should disable this with
+`skip_before_action`.
+
+There is a `set_current_request_details` method installed as a default
+`before_action` which takes some loggable request meta information (user agent,
+IP address) and sets its value in `Current` so that its accesible to code
+elsewhere in the 🥑 gem.
+
+### Helpers
+
+The `Avocado::Authentication` module included into the application controller
+provides some helper methods available in controllers, views, and helpers:
+
+- `signed_in?` is true if the session has a signed in user
+- `current_session` provides the DB record for the session, if one exists
+- `current_user` returns the user belonging to that session
+
+Usage of these can be seen in the views in the [demo app].
+
+## Customization
+
+There is not any configuration. To override functionality:
+
+- Redefine a method created in one of the models by the included module
+- Subclass a controller and update the routing to go to the subclass
+- Place views in the app where avocado expects them to override the defaults
+
+## Examples
+
+There is a [demo app] used by the specs which has some example usage.
+
+[demo app schema]: https://github.com/tcuwp/avocado/blob/main/spec/internal/db/schema.rb
+[demo app]: https://github.com/tcuwp/avocado/blob/main/spec/internal
+[Rails Engine]: https://guides.rubyonrails.org/engines.html#what-are-engines-questionmark

data/lib/avocado/authentication.rb

@@ -37,12 +37,12 @@ module Avocado
 
     def sign_in(user)
       ::Session.create!(user: user).tap do |session|
-        cookies.signed.permanent[:session_token] = {value: session.id, httponly: true}
+        cookies.signed.permanent[:session_token] = {value: session.token, httponly: true}
       end
     end
 
     def session_from_token
-      ::Session.find_by_id(cookies.signed[:session_token])
+      ::Session.find_by_token(cookies.signed[:session_token])
     end
 
     def set_current_request_details

data/lib/avocado/current.rb

@@ -1,13 +1,15 @@
 # frozen_string_literal: true
 
-class Current < ActiveSupport::CurrentAttributes
-  attribute :session,
-    :user,
-    :user_agent,
-    :ip_address
+module Avocado
+  class Current < ActiveSupport::CurrentAttributes
+    attribute :session,
+      :user,
+      :user_agent,
+      :ip_address
 
-  def session=(session)
-    super
-    self.user = session.user
+    def session=(session)
+      super
+      self.user = session.user
+    end
   end
 end

data/lib/avocado/engine.rb

@@ -5,5 +5,10 @@ require "rails/engine"
 
 module Avocado
   class Engine < Rails::Engine
+    initializer :avocado_routing do
+      ActiveSupport.on_load(:action_dispatch_request) do
+        ActionDispatch::Routing::Mapper.define_method(:🥑) { :🥑 }
+      end
+    end
   end
 end

data/lib/avocado/event.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Avocado
+  module Event
+    extend ActiveSupport::Concern
+
+    VALID_ACTIONS = [
+      "email:update",
+      "email:verified",
+      "password:update",
+      "session:create",
+      "session:destroy"
+    ]
+
+    included do
+      belongs_to :user
+
+      scope :newest_first, -> { order(created_at: :desc) }
+
+      validates :action, inclusion: VALID_ACTIONS
+
+      before_create :capture_request_details
+    end
+
+    private
+
+    def capture_request_details
+      self.user_agent = Current.user_agent
+      self.ip_address = Current.ip_address
+    end
+  end
+end

data/lib/avocado/session.rb

@@ -4,10 +4,19 @@ module Avocado
   module Session
     extend ActiveSupport::Concern
 
+    SECURE_TOKEN_LENGTH = 64
+
     included do
+      include SessionCallbacks
+
+      has_secure_token length: SECURE_TOKEN_LENGTH, on: :initialize
+
       belongs_to :user
 
+      validates :token, presence: true
+
       scope :newest_first, -> { order(created_at: :desc) }
+      scope :non_current, -> { where.not(id: Current.session) }
     end
   end
 end

data/lib/avocado/session_callbacks.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Avocado
+  module SessionCallbacks
+    extend ActiveSupport::Concern
+
+    included do
+      after_create :record_activity_create
+
+      after_destroy :record_activity_destroy
+
+      before_create :capture_request_details
+    end
+
+    private
+
+    def record_activity_create
+      create_user_event "session:create"
+    end
+
+    def record_activity_destroy
+      create_user_event "session:destroy"
+    end
+
+    def create_user_event(action)
+      user.events.create! action: action
+    end
+
+    def capture_request_details
+      self.user_agent = Current.user_agent
+      self.ip_address = Current.ip_address
+    end
+  end
+end

data/lib/avocado/user.rb

@@ -5,14 +5,21 @@ module Avocado
     extend ActiveSupport::Concern
 
     included do
-      include UserEmail
+      include UserCallbacks
       include UserTokens
-      include UserPassword
+      include UserValidations
 
-      has_many :sessions
+      has_secure_password
+
+      with_options dependent: :destroy do
+        has_many :events
+        has_many :sessions
+      end
 
       scope :newest_first, -> { order(created_at: :desc) }
       scope :verified, -> { where(verified: true) }
+
+      normalizes :email, with: ->(email) { email.downcase.strip }
     end
   end
 end

data/lib/avocado/user_callbacks.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Avocado
+  module UserCallbacks
+    extend ActiveSupport::Concern
+
+    included do
+      with_options if: :password_digest_previously_changed? do
+        after_update :destroy_non_current_sessions
+        after_update :record_activity_password_update
+      end
+
+      after_update :record_activity_email_update, if: :email_previously_changed?
+      after_update :record_activity_email_verified, if: %i[verified_previously_changed? verified?]
+
+      before_validation :remove_email_verification, if: :email_changed?, on: :update
+    end
+
+    private
+
+    def record_activity_password_update
+      create_event "password:update"
+    end
+
+    def record_activity_email_update
+      create_event "email:update"
+    end
+
+    def record_activity_email_verified
+      create_event "email:verified"
+    end
+
+    def create_event(action)
+      events.create! action: action
+    end
+
+    def remove_email_verification
+      self.verified = false
+    end
+
+    def destroy_non_current_sessions
+      sessions.non_current.destroy_all
+    end
+  end
+end

data/lib/avocado/user_validations.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Avocado
+  module UserValidations
+    extend ActiveSupport::Concern
+
+    PASSWORD_FORMAT = /\A(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*\z/x
+    PASSWORD_MINIMUM_LENGTH = 8
+
+    included do
+      validates :email,
+        presence: true,
+        uniqueness: true,
+        format: {with: URI::MailTo::EMAIL_REGEXP}
+
+      validates :password,
+        format: {with: PASSWORD_FORMAT},
+        length: {minimum: PASSWORD_MINIMUM_LENGTH},
+        allow_nil: true
+    end
+  end
+end

data/lib/avocado/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Avocado
-  VERSION = "0.4.0"
+  VERSION = "0.6.0"
 end

data/lib/avocado.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "active_support"
 require_relative "avocado/engine"
 
 module Avocado
@@ -7,10 +8,12 @@ module Avocado
 
   autoload :Authentication, "avocado/authentication"
   autoload :Current, "avocado/current"
+  autoload :Event, "avocado/event"
   autoload :Mailer, "avocado/mailer"
   autoload :Session, "avocado/session"
+  autoload :SessionCallbacks, "avocado/session_callbacks"
   autoload :User, "avocado/user"
-  autoload :UserEmail, "avocado/user_email"
+  autoload :UserCallbacks, "avocado/user_callbacks"
   autoload :UserTokens, "avocado/user_tokens"
-  autoload :UserPassword, "avocado/user_password"
+  autoload :UserValidations, "avocado/user_validations"
 end

data/lib/generators/avocado/migrations/migrations_generator.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+require "rails/generators/active_record"
+
+module Avocado
+  class MigrationsGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_root File.expand_path("templates", __dir__)
+
+    def create_migrations
+      migration_template "create_users.rb", "#{db_migrate_path}/create_users.rb"
+      migration_template "create_sessions.rb", "#{db_migrate_path}/create_sessions.rb"
+      migration_template "create_events.rb", "#{db_migrate_path}/create_events.rb"
+    end
+
+    private
+
+    def primary_and_foreign_key_types
+      config = Rails.configuration.generators
+      setting = config.options[config.orm][:primary_key_type]
+      primary_key_type = setting || :primary_key
+      foreign_key_type = setting || :bigint
+      [primary_key_type, foreign_key_type]
+    end
+
+    def primary_key_type
+      primary_and_foreign_key_types.first
+    end
+
+    def foreign_key_type
+      primary_and_foreign_key_types.last
+    end
+  end
+end

data/lib/generators/avocado/migrations/templates/create_events.rb.tt

@@ -0,0 +1,12 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :events, id: :<%= primary_key_type %> do |t|
+      t.references :user, null: false, foreign_key: true, type: :<%= foreign_key_type %>
+      t.string :action, null: false
+      t.string :user_agent
+      t.string :ip_address
+
+      t.timestamps
+    end
+  end
+end

data/lib/generators/avocado/migrations/templates/create_sessions.rb.tt

@@ -0,0 +1,12 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :sessions, id: :<%= primary_key_type %> do |t|
+      t.references :user, null: false, foreign_key: true, type: :<%= foreign_key_type %>
+      t.string :token, null: false, index: {unique: true}
+      t.string :user_agent
+      t.string :ip_address
+
+      t.timestamps
+    end
+  end
+end

data/lib/generators/avocado/migrations/templates/create_users.rb.tt

@@ -0,0 +1,11 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :users, id: :<%= primary_key_type %> do |t|
+      t.string :email, null: false, index: {unique: true}
+      t.string :password_digest, null: false
+      t.boolean :verified, null: false, default: false, index: true
+
+      t.timestamps
+    end
+  end
+end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: avocado
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Matt Jankowski
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-07-19 00:00:00.000000000 Z
+date: 2023-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -38,34 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 7.1.0.alpha
-- !ruby/object:Gem::Dependency
-  name: combustion
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description:
 email:
 - matt@jankowski.online
@@ -80,33 +52,52 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- app/controllers/avocado/affirmations_controller.rb
 - app/controllers/avocado/base_controller.rb
+- app/controllers/avocado/emails_controller.rb
+- app/controllers/avocado/events_controller.rb
+- app/controllers/avocado/passwords_controller.rb
 - app/controllers/avocado/recoveries_controller.rb
 - app/controllers/avocado/registrations_controller.rb
 - app/controllers/avocado/sessions_controller.rb
 - app/controllers/avocado/verifications_controller.rb
+- app/views/avocado/affirmations/edit.html.erb
+- app/views/avocado/affirmations/new.html.erb
+- app/views/avocado/emails/edit.html.erb
+- app/views/avocado/events/_event.html.erb
+- app/views/avocado/events/index.html.erb
 - app/views/avocado/mailer/email_affirmation.text.erb
 - app/views/avocado/mailer/email_verification.text.erb
 - app/views/avocado/mailer/password_reset.text.erb
+- app/views/avocado/passwords/edit.html.erb
 - app/views/avocado/recoveries/edit.html.erb
 - app/views/avocado/recoveries/new.html.erb
 - app/views/avocado/registrations/new.html.erb
 - app/views/avocado/sessions/_session.html.erb
 - app/views/avocado/sessions/index.html.erb
 - app/views/avocado/sessions/new.html.erb
+- app/views/avocado/verifications/edit.html.erb
 - config.ru
-- config/routes.rb
+- config/routes/avocado.rb
+- "config/routes/\U0001F951.rb"
+- docs/USAGE.md
 - lib/avocado.rb
 - lib/avocado/authentication.rb
 - lib/avocado/current.rb
 - lib/avocado/engine.rb
+- lib/avocado/event.rb
 - lib/avocado/mailer.rb
 - lib/avocado/session.rb
+- lib/avocado/session_callbacks.rb
 - lib/avocado/user.rb
-- lib/avocado/user_email.rb
-- lib/avocado/user_password.rb
+- lib/avocado/user_callbacks.rb
 - lib/avocado/user_tokens.rb
+- lib/avocado/user_validations.rb
 - lib/avocado/version.rb
+- lib/generators/avocado/migrations/migrations_generator.rb
+- lib/generators/avocado/migrations/templates/create_events.rb.tt
+- lib/generators/avocado/migrations/templates/create_sessions.rb.tt
+- lib/generators/avocado/migrations/templates/create_users.rb.tt
 - sig/avocado.rbs
 homepage: https://github.com/tcuwp/avocado
 licenses:

data/config/routes.rb

@@ -1,8 +0,0 @@
-Rails.application.routes.draw do
-  scope module: :avocado do
-    resources :recoveries, only: %i[new create edit update]
-    resources :registrations, only: %i[new create]
-    resources :sessions, only: %i[index new create destroy]
-    resources :verifications, only: %i[show create]
-  end
-end

data/lib/avocado/user_email.rb

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-module Avocado
-  module UserEmail
-    extend ActiveSupport::Concern
-
-    included do
-      validates :email, presence: true, uniqueness: true, format: {with: URI::MailTo::EMAIL_REGEXP}
-
-      normalizes :email, with: ->(email) { email.downcase.strip }
-    end
-  end
-end

data/lib/avocado/user_password.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module Avocado
-  module UserPassword
-    extend ActiveSupport::Concern
-
-    REQUIRED_FORMAT = /\A(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*\z/x
-    REQUIRED_LENGTH = 8
-
-    included do
-      has_secure_password
-
-      validates :password, format: {with: REQUIRED_FORMAT}, length: {minimum: REQUIRED_LENGTH}, allow_nil: true
-    end
-  end
-end