devise-passwordless 0.7.1 → 1.0.0

data/UPGRADING.md

@@ -0,0 +1,143 @@
+## Upgrading from 0.x to 1.0
+
+⭐ The 1.0 release includes significant breaking changes! ⭐
+
+This is a big release that cleans up the DX quite a bit. 🎉 Make these changes
+to have a successful upgrade:
+
+* Generated `MagicLinksController` is no longer required
+  * Delete `app/controllers/devise/passwordless/magic_links_controller.rb`
+* Generated `SessionsController` is no longer required
+  * If you haven't customized the generated controller in:
+
+    ```
+    app/controllers/devise/passwordless/sessions_controller.rb
+    ```
+
+    then go ahead and delete the file!
+  * If you **have** customized the controller, then we're going to move it. Move the file to somewhere like
+
+    ```
+    app/controllers/custom_sessions_controller.rb
+    ```
+
+    And change the inside class definition to match, e.g. from
+
+    ```ruby
+    class Devise::Passwordless::SessionsController < Devise::SessionsController
+    ```
+
+    to
+
+    ```ruby
+    class CustomSessionsController < Devise::Passwordless::SessionsController
+    ```
+
+    Then, change the route of your resource to match it:
+
+    ```ruby
+    devise_for :users,
+      controllers: { sessions: "custom_sessions" }
+    ```
+
+    Finally, you should review the latest source of
+    `Devise::Passwordless::SessionsController` as its implementation has changed,
+    so you'll want to sync up your customizations.
+* Routing no longer requires custom `devise_scope` for magic links
+  * Delete any route declarations from `config/routes.rb` that look like this:
+
+    ```ruby
+    devise_scope :user do
+      get "/users/magic_link",
+        to: "devise/passwordless/magic_links#show",
+        as: "users_magic_link"
+    ```
+
+* Changes are required to the Devise initializer in `config/initializers/devise.rb`:
+  * Delete this line:
+    ```
+    require 'devise/passwordless/mailer'
+    ```
+  * New config value `passwordless_tokenizer` is required. Check README for
+    an explanation of tokenizers.
+    * Add this section to `config/initializers/devise.rb`:
+
+      ```ruby
+      # Which algorithm to use for tokenizing magic links. See README for descriptions
+      config.passwordless_tokenizer = "MessageEncryptorTokenizer"
+      ```
+
+* There is a new `:magic_link_sent_paranoid` i18n key you should add to your `config/locales/devise.en.yml` file:
+
+    ```diff
+    @@ -58,6 +58,7 @@
+        passwordless:
+          not_found_in_database: "Could not find a user for that email address"
+          magic_link_sent: "A login link has been sent to your email address. Please follow the link to log in to your account."
+    +      magic_link_sent_paranoid: "If your account exists, you will receive an email with a login link. Please follow the link to log in to your account."
+      errors:
+        messages:
+          already_confirmed: "was already confirmed, please try signing in"
+
+    ```
+  * If Devise's paranoid mode is enabled in your Devise initializer, this new key
+    replaces the use of both `:magic_link_sent` and `:not_found_in_database` to be
+    ambiguous about the existence of user accounts to prevent account enumeration
+    vulnerabilities. If you want the old behavior back, ensure `Devise.paranoid`
+    is `false` by setting `config.paranoid = false` in your Devise initializer.
+
+* `magic_link` path and URL helpers now work
+  * Delete any code that looks like this:
+
+    ```ruby
+    send("#{@scope_name.to_s.pluralize}_magic_link_url", Hash[@scope_name, {email: @resource.email, token: @token, remember_me: @remember_me}])
+    ```
+
+    and replace it with this:
+
+    ```ruby
+    magic_link_url(@resource, @scope_name => {email: @resource.email, token: @token, remember_me: @remember_me})
+    ```
+  * The routes are no longer pluralized, so change any references like:
+
+    ```ruby
+    users_magic_link_url
+    ```
+
+    to:
+
+    ```ruby
+    user_magic_link_url
+    ```
+
+* `Devise::Passwordless::LoginToken` is deprecated.
+  * Calls to `::encode` and `::decode` should be replaced with calls to these
+    methods on the resource model (e.g. `User`): `#encode_passwordless_token`
+    and `::decode_passwordless_token`.
+  * References to `Devise::Passwordless::LoginToken.secret_key` should be
+    changed to `Devise::Passwordless.secret_key`.
+
+* Hotwire/Turbo support
+  * If your Rails app uses Hotwire / Turbo, make sure you're using Devise >= 4.9
+    and setting the `config.responder` value in your Devise configuration
+    (see Devise Turbo upgrade guide: https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D)
+
+* The `#send_magic_link` method now uses keyword arguments instead of positional arguments.
+  * Change any instances of
+
+    ```ruby
+    remember_me = true
+    user.send_magic_link(remember_me, subject: "Custom email subject")
+    ```
+
+    to:
+
+    ```ruby
+    user.send_magic_link(remember_me: true, subject: "Custom email subject")
+    ```
+
+* After sending a magic link, users will now be redirected rather than
+  re-rendering the sign-in form.
+  * [See the README][after-magic-link-sent-readme] for details on how to customize the redirect behavior
+
+[after-magic-link-sent-readme]: https://github.com/abevoelker/devise-passwordless#redirecting-after-magic-link-is-sent

data/{lib/generators/devise/passwordless/templates/magic_links_controller.rb.erb → app/controllers/devise/magic_links_controller.rb}

@@ -1,11 +1,9 @@
-# frozen_string_literal: true
-
-<% module_namespacing do -%>
-class Devise::Passwordless::MagicLinksController < DeviseController
+class Devise::MagicLinksController < DeviseController
   prepend_before_action :require_no_authentication, only: :show
   prepend_before_action :allow_params_authentication!, only: :show
   prepend_before_action(only: [:show]) { request.env["devise.skip_timeout"] = true }
 
+  # GET /resource/magic_link
   def show
     self.resource = warden.authenticate!(auth_options)
     set_flash_message!(:notice, :signed_in)
@@ -31,4 +29,3 @@ class Devise::Passwordless::MagicLinksController < DeviseController
     resource_params.permit(:email, :remember_me)
   end
 end
-<% end -%>

data/app/controllers/devise/passwordless/sessions_controller.rb

@@ -0,0 +1,49 @@
+class Devise::Passwordless::SessionsController < Devise::SessionsController
+  def create
+    if (self.resource = resource_class.find_by(email: create_params[:email]))
+      resource.send_magic_link(remember_me: create_params[:remember_me])
+      if Devise.paranoid
+        set_flash_message!(:notice, :magic_link_sent_paranoid)
+      else
+        set_flash_message!(:notice, :magic_link_sent)
+      end
+    else
+      self.resource = resource_class.new(create_params)
+      if Devise.paranoid
+        set_flash_message!(:notice, :magic_link_sent_paranoid)
+      else
+        set_flash_message!(:alert, :not_found_in_database, now: true)
+        render :new, status: devise_error_status
+        return
+      end
+    end
+
+    redirect_to(after_magic_link_sent_path_for(resource), status: devise_redirect_status)
+  end
+
+  protected
+
+  def translation_scope
+    if action_name == "create"
+      "devise.passwordless"
+    else
+      super
+    end
+  end
+
+  private
+
+  def create_params
+    resource_params.permit(:email, :remember_me)
+  end
+
+  # Devise < 4.9 fallback support
+  # See: https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
+  def devise_redirect_status
+    Devise.try(:responder).try(:redirect_status) || :found
+  end
+
+  def devise_error_status
+    Devise.try(:responder).try(:error_status) || :ok
+  end
+end

data/app/mailers/devise/passwordless/mailer.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+if defined?(ActionMailer)
+  module Devise
+    module Passwordless
+      class Mailer < Devise::Mailer
+        def magic_link(record, token, remember_me, opts = {})
+          @token = token
+          @remember_me = remember_me
+          devise_mail(record, :magic_link, opts)
+        end
+      end
+    end
+  end
+end

data/lib/devise/hooks/magic_link_authenticatable.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+# Deny user access when magic link authentication is disabled
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active_for_magic_link_authentication?) && !record.active_for_magic_link_authentication?
+    scope = options[:scope]
+    warden.logout(scope)
+    throw :warden, scope: scope, message: record.magic_link_inactive_message
+  end
+end

data/lib/devise/models/magic_link_authenticatable.rb

@@ -1,22 +1,41 @@
 require 'devise/strategies/magic_link_authenticatable'
+require 'devise/hooks/magic_link_authenticatable'
 
 module Devise
   module Models
     module MagicLinkAuthenticatable
       extend ActiveSupport::Concern
 
-      def password_required?
-        false
+      # Models using the :database_authenticatable strategy will already
+      # have #password_required? and #password defined - we will defer
+      # to those methods if they already exist so that people can use
+      # both strategies together. Otherwise, for :magic_link_authenticatable-
+      # only users, we define them in order to disable password validations:
+
+      unless instance_methods.include?(:password_required?)
+        def password_required?
+          false
+        end
+      end
+
+      unless instance_methods.include?(:password)
+        # Not having a #password method breaks the :validatable module
+        #
+        # NOTE I proposed a change to Devise to fix this:
+        # https://github.com/heartcombo/devise/issues/5346#issuecomment-822022834
+        # As of yet it hasn't been accepted due to unknowns of the legacy code's purpose
+        def password
+          nil
+        end
       end
 
-      # Not having a password method breaks the :validatable module
-      def password
-        nil
+      def encode_passwordless_token(*args, **kwargs)
+        self.class.passwordless_tokenizer_class.encode(self, *args, **kwargs)
       end
 
-      def send_magic_link(remember_me, opts = {})
-        token = Devise::Passwordless::LoginToken.encode(self)
-        send_devise_notification(:magic_link, token, remember_me, opts)
+      def send_magic_link(remember_me: false, **kwargs)
+        token = self.encode_passwordless_token
+        send_devise_notification(:magic_link, token, remember_me, **kwargs)
       end
 
       # A callback initiated after successfully authenticating. This can be
@@ -32,9 +51,38 @@ module Devise
       def after_magic_link_authentication
       end
 
+      # Set this to false to disable magic link auth for this model instance.
+      # Magic links will still be generated by the sign-in page, but visiting
+      # them will instead display an error message.
+      def active_for_magic_link_authentication?
+        true
+      end
+
+      # This method determines which error message to display when magic link
+      # auth is disabled for this model instance.
+      def magic_link_inactive_message
+        :magic_link_invalid
+      end
+
       protected
 
       module ClassMethods
+        def passwordless_tokenizer_class
+          @passwordless_tokenizer_class ||= self.passwordless_tokenizer.is_a?(Class) ? (
+            self.passwordless_tokenizer
+          ) : (
+            self.passwordless_tokenizer.start_with?("::") ? (
+              self.passwordless_tokenizer.constantize
+            ) : (
+              "Devise::Passwordless::#{self.passwordless_tokenizer}".constantize
+            )
+          )
+        end
+
+        def decode_passwordless_token(*args, **kwargs)
+          passwordless_tokenizer_class.decode(*args, **kwargs)
+        end
+
         # We assume this method already gets the sanitized values from the
         # MagicLinkAuthenticatable strategy. If you are using this method on
         # your own, be sure to sanitize the conditions hash to only include
@@ -44,8 +92,9 @@ module Devise
         end
 
         Devise::Models.config(self,
+          :passwordless_tokenizer,
           :passwordless_login_within,
-          :passwordless_secret_key,
+          #:passwordless_secret_key,
           :passwordless_expire_old_tokens_on_sign_in
         )
       end
@@ -54,6 +103,27 @@ module Devise
 end
 
 module Devise
+  mattr_accessor :passwordless_tokenizer
+  @@passwordless_tokenizer = nil
+  def self.passwordless_tokenizer
+    if @@passwordless_tokenizer.blank?
+      Devise::Passwordless.deprecator.warn <<-DEPRECATION.strip_heredoc
+        [Devise-Passwordless] `Devise.passwordless_tokenizer` is a required
+        config option. If you are upgrading to Devise-Passwordless 1.0 from
+        a previous install, you should use "MessageEncryptorTokenizer" for
+        backwards compatibility. New installs are templated with
+        "SignedGlobalIDTokenizer". Read the README for a comparison of
+        options and UPGRADING for upgrade instructions. Execution will
+        now proceed with a value of "MessageEncryptorTokenizer" but future
+        releases will raise an error if this option is unset.
+      DEPRECATION
+
+      "MessageEncryptorTokenizer"
+    else
+      @@passwordless_tokenizer
+    end
+  end
+
   mattr_accessor :passwordless_login_within
   @@passwordless_login_within = 20.minutes
 

data/lib/devise/monkeypatch.rb

@@ -0,0 +1,82 @@
+# Monkeypatch to allow multiple routes for a single module
+# TODO this should be submitted as a PR to devise to deleted if/when merged
+module Devise
+  class Mapping
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.flatten.uniq
+    end
+  end
+  def self.add_module(module_name, options = {})
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input, :insert_at)
+
+    ALL.insert (options[:insert_at] || -1), module_name
+
+    if strategy = options[:strategy]
+      strategy = (strategy == true ? module_name : strategy)
+      STRATEGIES[module_name] = strategy
+    end
+
+    if controller = options[:controller]
+      controller = (controller == true ? module_name : controller)
+      CONTROLLERS[module_name] = controller
+    end
+
+    NO_INPUT << strategy if options[:no_input]
+
+    if route = options[:route]
+      routes = {}
+
+      case route
+      when TrueClass
+        routes[module_name] = []
+      when Symbol
+        routes[route] = []
+      when Hash
+        routes = route
+      else
+        raise ArgumentError, ":route should be true, a Symbol or a Hash"
+      end
+
+      routes.each do |key, value|
+        URL_HELPERS[key] ||= []
+        URL_HELPERS[key].concat(value)
+        URL_HELPERS[key].uniq!
+
+        ROUTES[module_name] = key
+      end
+
+      if routes.size > 1
+        ROUTES[module_name] = routes.keys
+      end
+    end
+
+    if options[:model]
+      path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
+      camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
+      Devise::Models.send(:autoload, camelized.to_sym, path)
+    end
+
+    Devise::Mapping.add_module module_name
+  end
+end
+
+# Extend Devise's Helpers module to add our after_magic_link_sent_path_for
+# This is defined here as a helper rather than in the sessions controller
+# directly so that it can be overridden in the main ApplicationController
+module Devise
+  module Controllers
+    module Helpers
+      # Method used by sessions controller to redirect user after a magic link
+      # is sent from the sign in page. You can overwrite it in your
+      # ApplicationController to provide a custom hook for a custom scope.
+      #
+      # By default it is the root_path.
+      def after_magic_link_sent_path_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        router_name = Devise.mappings[scope].router_name
+        context = router_name ? send(router_name) : self
+        context.respond_to?(:root_path) ? context.root_path : "/"
+      end
+    end
+  end
+end

data/lib/devise/passwordless/login_token.rb

@@ -1,57 +1,12 @@
 module Devise::Passwordless
   class LoginToken
-    class InvalidOrExpiredTokenError < StandardError; end
-
-    def self.encode(resource)
-      now = Time.current
-      len = ActiveSupport::MessageEncryptor.key_len
-      salt = SecureRandom.random_bytes(len)
-      key = ActiveSupport::KeyGenerator.new(self.secret_key).generate_key(salt, len)
-      crypt = ActiveSupport::MessageEncryptor.new(key, serializer: JSON)
-      encrypted_data = crypt.encrypt_and_sign({
-        data: {
-          resource: {
-            key: resource.to_key,
-            email: resource.email,
-          },
-        },
-        created_at: now.to_f,
-      })
-      salt_base64 = Base64.strict_encode64(salt)
-      "#{salt_base64}:#{encrypted_data}"
-    end
-
-    def self.decode(token, as_of=Time.current, expire_duration=Devise.passwordless_login_within)
-      raise InvalidOrExpiredTokenError if token.blank?
-      salt_base64, encrypted_data = token.split(":")
-      begin
-        salt = Base64.strict_decode64(salt_base64)
-      rescue ArgumentError
-        raise InvalidOrExpiredTokenError
-      end
-      len = ActiveSupport::MessageEncryptor.key_len
-      key = ActiveSupport::KeyGenerator.new(self.secret_key).generate_key(salt, len)
-      crypt = ActiveSupport::MessageEncryptor.new(key, serializer: JSON)
-      begin
-        decrypted_data = crypt.decrypt_and_verify(encrypted_data)
-      rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
-        raise InvalidOrExpiredTokenError
-      end
-
-      created_at = ActiveSupport::TimeZone["UTC"].at(decrypted_data["created_at"])
-      if as_of.to_f > (created_at + expire_duration).to_f
-        raise InvalidOrExpiredTokenError
-      end
-
-      decrypted_data
-    end
-
     def self.secret_key
-      if Devise.passwordless_secret_key.present?
-        Devise.passwordless_secret_key
-      else
-        Devise.secret_key
-      end
+      Devise::Passwordless.deprecator.warn <<-DEPRECATION.strip_heredoc
+        [Devise-Passwordless] `Devise::Passwordless::LoginToken.secret_key` is
+        deprecated and will be removed in a future release. Please use
+        `Devise::Passwordless.secret_key` instead.
+      DEPRECATION
+      Devise::Passwordless.secret_key
     end
   end
-end
+end

data/lib/devise/passwordless/rails.rb

@@ -0,0 +1,25 @@
+module Devise::Passwordless
+  class Engine < Rails::Engine
+    initializer "devise_passwordless.routing" do
+      require "devise/passwordless/routing"
+
+      Devise.add_module(:magic_link_authenticatable, {
+        model: true,
+        strategy: true,
+        route: { magic_link: [nil, :show], session: [nil, :new, :destroy] },
+        controller: :sessions,
+      })
+    end
+
+    initializer "devise_passwordless.log_filter_check" do
+      params = Rails.try(:application).try(:config).try(:filter_parameters) || []
+
+      unless params.map(&:to_sym).include?(:token)
+        warn "[DEVISE-PASSWORDLESS] We have detected that your Rails configuration does not " \
+              "filter :token parameters out of your logs. You should append :token to your " \
+              "config.filter_parameters Rails setting so that magic link tokens don't " \
+              "leak out of your logs."
+      end
+    end
+  end
+end

data/lib/devise/passwordless/routing.rb

@@ -0,0 +1,11 @@
+module ActionDispatch::Routing
+  class Mapper
+
+    protected
+
+      def devise_magic_link(mapping, controllers) #:nodoc:
+        resource :magic_link, only: [:show],
+          path: mapping.path_names[:magic_link], controller: controllers[:magic_links]
+      end
+  end
+end

data/lib/devise/passwordless/tokenizers/message_encryptor_tokenizer.rb

@@ -0,0 +1,66 @@
+module Devise::Passwordless
+  class MessageEncryptorTokenizer
+    def self.encode(resource, extra: nil, expires_at: nil)
+      now = Time.current
+      len = ActiveSupport::MessageEncryptor.key_len
+      salt = SecureRandom.random_bytes(len)
+      key = ActiveSupport::KeyGenerator.new(Devise::Passwordless.secret_key).generate_key(salt, len)
+      crypt = ActiveSupport::MessageEncryptor.new(key, serializer: JSON)
+      data = {
+        data: {
+          resource: {
+            key: resource.to_key,
+            email: resource.email,
+          },
+        },
+        created_at: now.to_f,
+      }
+      data[:data][:extra] = extra if extra
+      data[:expires_at] = expires_at.to_f if expires_at
+      encrypted_data = crypt.encrypt_and_sign(data)
+      salt_base64 = Base64.strict_encode64(salt)
+      "#{salt_base64}:#{encrypted_data}"
+    end
+
+    def self.decode(token, resource_class, as_of: Time.current, expire_duration: Devise.passwordless_login_within)
+      raise InvalidTokenError if token.blank?
+      salt_base64, encrypted_data = token.split(":")
+      raise InvalidTokenError if salt_base64.blank? || encrypted_data.blank?
+      begin
+        salt = Base64.strict_decode64(salt_base64)
+      rescue ArgumentError
+        raise InvalidTokenError
+      end
+      len = ActiveSupport::MessageEncryptor.key_len
+      key = ActiveSupport::KeyGenerator.new(Devise::Passwordless.secret_key).generate_key(salt, len)
+      crypt = ActiveSupport::MessageEncryptor.new(key, serializer: JSON)
+      begin
+        decrypted_data = crypt.decrypt_and_verify(encrypted_data)
+      rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
+        raise InvalidTokenError
+      end
+
+      unless (expiration_time = decrypted_data["expires_at"])
+        created_at = ActiveSupport::TimeZone["UTC"].at(decrypted_data["created_at"])
+        expiration_time = (created_at + expire_duration).to_f
+      end
+
+      if as_of.to_f > expiration_time
+        raise ExpiredTokenError
+      end
+
+      resource = resource_class.find_by(id: decrypted_data["data"]["resource"]["key"])
+
+      if resource_class.passwordless_expire_old_tokens_on_sign_in
+        if (last_login = resource.try(:current_sign_in_at))
+          token_created_at = ActiveSupport::TimeZone["UTC"].at(decrypted_data["created_at"])
+          if token_created_at < last_login
+            raise ExpiredTokenError
+          end
+        end
+      end
+
+      [resource, decrypted_data]
+    end
+  end
+end

data/lib/devise/passwordless/tokenizers/signed_global_id_tokenizer.rb

@@ -0,0 +1,20 @@
+require "globalid"
+
+module Devise::Passwordless
+  class SignedGlobalIDTokenizer
+    def self.encode(resource, expires_in: nil, expires_at: nil)
+      if expires_at
+        resource.to_sgid(expires_at: expires_at, for: "login").to_s
+      else
+        resource.to_sgid(expires_in: expires_in || resource.class.passwordless_login_within, for: "login").to_s
+      end
+    end
+
+    def self.decode(token, resource_class)
+      resource = GlobalID::Locator.locate_signed(token, for: "login")
+      raise ExpiredTokenError unless resource
+      raise InvalidTokenError if resource.class != resource_class
+      [resource, {}]
+    end
+  end
+end

data/lib/devise/passwordless/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Devise
   module Passwordless
-    VERSION = "0.7.1"
+    VERSION = "1.0.0"
   end
 end

data/lib/devise/passwordless.rb

@@ -1,3 +1,27 @@
 require "devise/passwordless/version"
+require "devise/monkeypatch"
+require "devise/passwordless/rails" if defined?(Rails::Engine)
 require "devise/models/magic_link_authenticatable"
 require "generators/devise/passwordless/install_generator"
+require "devise/passwordless/tokenizers/message_encryptor_tokenizer"
+require "devise/passwordless/tokenizers/signed_global_id_tokenizer"
+
+module Devise
+  module Passwordless
+    class InvalidOrExpiredTokenError < StandardError; end
+    class InvalidTokenError < InvalidOrExpiredTokenError; end
+    class ExpiredTokenError < InvalidOrExpiredTokenError; end
+
+    def self.deprecator
+      @deprecator ||= ActiveSupport::Deprecation.new("1.1", "Devise-Passwordless")
+    end
+
+    def self.secret_key
+      if Devise.passwordless_secret_key.present?
+        Devise.passwordless_secret_key
+      else
+        Devise.secret_key
+      end
+    end
+  end
+end