devise-passwordless 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9bb24b5fe4c2794fc255797ca018533757e999c80ef5ac8f2992e245b48bec1
-  data.tar.gz: c38c95a39eaae489078f4730f96c4dd8ebda460028cd2ef752196396e2b35837
+  metadata.gz: 15837103c0aa116898d6b9847813c8ddf11d5e9e42fb3592322521b1107a96b0
+  data.tar.gz: e4d86d9d88ed12151a91490d9360440d9bbf68570f9fc7fc9a49ecadffa17d00
 SHA512:
-  metadata.gz: 821b144072819bf40fdc6687184262af929cfc066173700b7afdb92a56a344e6c01c923bd956a3ae928c8dab572f8ff2f84de73c56fde29139e2c28f8564fe0c
-  data.tar.gz: 51bc2079671c704e365e43b7ad10d72359b8ff2588c31deee1ab001ab2f93f4d6fe3992a1de7ea890401dbf1be08ae912e4302fd7c673b6b61bc3ba29832faae
+  metadata.gz: a834c844bdc0e1cc638140ae5081f7714d24637837c7b5f84b6c14f32819c5e41316b1a29b57ac65f2d8e76781a8ce20a55b51dbb8f30489bdb4af94f131a25b
+  data.tar.gz: 9b5703b2c793916342f9f044ea81ec1a626b0450cab2c0d91f4c56bc811ed7ccfee736db88715bae4d920729b3b56bbafaac781062dbf44b9cb016d73c15e7ce

data/README.md

@@ -2,7 +2,11 @@
 
 A passwordless a.k.a. "magic link" login strategy for [Devise][]
 
-No database migrations are needed as login links are stateless, encrypted tokens generated with Rails's MessageEncryptor.
+## Features
+
+* No database migrations / state needed - links are stateless encrypted tokens thanks to Rails's MessageEncryptor
+* Magic links are sent from your app - not a mounted Rails engine - so path and URL helpers work as expected
+* All the goodness of Devise!
 
 ## Installation
 
@@ -30,9 +34,9 @@ See the [customization section](#customization) for details on what gets install
 
 ## Usage
 
-This gem adds an `:magic_link_authenticatable` strategy that can be used in your Devise models for passwordless authentication. This strategy plays well with most other Devise strategies (see [*notes on other Devise strategies*](#notes-on-other-devise-strategies)).
+This gem adds a `:magic_link_authenticatable` strategy that can be used in your Devise models for passwordless authentication. This strategy plays well with most other Devise strategies (see [*notes on other Devise strategies*](#notes-on-other-devise-strategies)).
 
-For example, for a User model, you could do this (other strategies listed are optional and not exhaustive):
+For example, for a User model, you can now do this (other strategies listed are optional and not exhaustive):
 
 ```ruby
 # app/models/user.rb
@@ -51,7 +55,7 @@ Then, you'll need to generate two controllers to modify Devise's default session
 $ rails g devise:passwordless:controller User
 ```
 
-Then, modify your routes file like so to use these controllers:
+Then, set up your Devise routes like so to use these controllers:
 
 ```ruby
 # config/routes.rb
@@ -63,13 +67,15 @@ Rails.application.routes.draw do
 end
 ```
 
-Finally, you'll want to update Devise's generated views to remove references to passwords.
+Finally, you'll want to update Devise's generated views to remove references to passwords, since you don't need them any more!
 
 These files/directories can be deleted entirely:
 
-* `app/views/devise/passwords`
-* `app/views/devise/mailer/password_change.html.erb`
-* `app/views/devise/mailer/reset_password_instructions.html.erb`
+```
+app/views/devise/passwords
+app/views/devise/mailer/password_change.html.erb
+app/views/devise/mailer/reset_password_instructions.html.erb
+```
 
 And these should be edited to remove password references:
 
@@ -98,6 +104,11 @@ config.mailer = "PasswordlessMailer"
 # key will render invalid all existing passwordless login tokens. You can
 # generate your own secret value with e.g. `rake secret`
 # config.passwordless_secret_key = nil
+
+# When using the :trackable module, set to true to consider magic link tokens
+# generated before the user's current sign in time to be expired. In other words,
+# each time you sign in, all existing magic links will be considered invalid.
+# config.passwordless_expire_old_tokens_on_sign_in = false
 ```
 
 To customize the magic link email subject line and other status and error messages, modify these values in `config/locales/devise.en.yml`:
@@ -109,17 +120,17 @@ en:
       not_found_in_database: "Could not find a user for that email address"
       magic_link_sent: "A login link has been sent to your email address. Please follow the link to log in to your account."
     failure:
-      passwordless_invalid: "Invalid or expired login link."
+      magic_link_invalid: "Invalid or expired login link."
     mailer:
       magic_link:
-        subject: "Here's your magic login link 🪄✨"
+        subject: "Here's your magic login link ✨"
 ```
 
 To customize the magic link email body, edit `app/views/devise/mailer/magic_link.html.erb`
 
 ### Notes on other Devise strategies
 
-If using the `:rememberable` strategy for "remember me" functionality, you'll need to add a `remember_token` column to your resource, as by default it assumes you're using a password strategy and relies on comparing the password's salt to validate cookies:
+If using the `:rememberable` strategy for "remember me" functionality, you'll need to add a `remember_token` column to your resource, as by default that strategy assumes you're using a password auth strategy and relies on comparing the password's salt to validate cookies:
 
 ```ruby
 change_table :users do |t|

data/devise-passwordless.gemspec

@@ -35,9 +35,9 @@ Gem::Specification.new do |spec|
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
+  spec.required_ruby_version = ">= 2.1.0"
 
   spec.add_dependency "devise"
-  spec.add_dependency "rails"
 
   spec.add_development_dependency "bundler", "~> 1.17"
   spec.add_development_dependency "rake", "~> 10.0"

data/lib/devise/models/magic_link_authenticatable.rb

@@ -43,7 +43,11 @@ module Devise
           find_for_authentication(conditions)
         end
 
-        Devise::Models.config(self, :passwordless_login_within, :passwordless_secret_key)
+        Devise::Models.config(self,
+          :passwordless_login_within,
+          :passwordless_secret_key,
+          :passwordless_expire_old_tokens_on_sign_in
+        )
       end
     end
   end
@@ -55,4 +59,7 @@ module Devise
 
   mattr_accessor :passwordless_secret_key
   @@passwordless_secret_key = nil
+
+  mattr_accessor :passwordless_expire_old_tokens_on_sign_in
+  @@passwordless_expire_old_tokens_on_sign_in = false
 end

data/lib/devise/passwordless/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Passwordless
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/devise/strategies/magic_link_authenticatable.rb

@@ -20,21 +20,31 @@ module Devise
       end
 
       def authenticate!
-        data = begin
-          x = Devise::Passwordless::LoginToken.decode(self.token)
-          x["data"]
+        begin
+          data = Devise::Passwordless::LoginToken.decode(self.token)
         rescue Devise::Passwordless::LoginToken::InvalidOrExpiredTokenError
-          fail!(:passwordless_invalid)
+          fail!(:magic_link_invalid)
           return
         end
 
-        resource = mapping.to.find_by(id: data["resource"]["key"])
+        resource = mapping.to.find_by(id: data["data"]["resource"]["key"])
+
+        if resource && Devise.passwordless_expire_old_tokens_on_sign_in
+          if (last_login = resource.try(:current_sign_in_at))
+            token_created_at = ActiveSupport::TimeZone["UTC"].at(data["created_at"])
+            if token_created_at < last_login
+              fail!(:magic_link_invalid)
+              return
+            end
+          end
+        end
+
         if validate(resource)
           remember_me(resource)
           resource.after_magic_link_authentication
           success!(resource)
         else
-          fail!(:passwordless_invalid)
+          fail!(:magic_link_invalid)
         end
       end
 

data/lib/generators/devise/passwordless/install_generator.rb

@@ -1,3 +1,4 @@
+require "psych"
 require "rails/generators"
 require "yaml"
 
@@ -22,6 +23,11 @@ module Devise::Passwordless
           # key will render invalid all existing passwordless login tokens. You can
           # generate your own secret value with e.g. `rake secret`
           # config.passwordless_secret_key = nil
+
+          # When using the :trackable module, set to true to consider magic link tokens
+          # generated before the user's current sign in time to be expired. In other words,
+          # each time you sign in, all existing magic links will be considered invalid.
+          # config.passwordless_expire_old_tokens_on_sign_in = false
         CONFIG
         end
       end
@@ -60,7 +66,7 @@ module Devise::Passwordless
           STDERR.puts "Couldn't find #{devise_yaml} - skipping patch"
           return
         end
-        config.deep_merge!({
+        default_config = {
           en: {
             devise: {
               passwordless: {
@@ -68,17 +74,45 @@ module Devise::Passwordless
                 magic_link_sent: "A login link has been sent to your email address. Please follow the link to log in to your account.",
               },
               failure: {
-                passwordless_invalid: "Invalid or expired login link.",
+                magic_link_invalid: "Invalid or expired login link.",
               },
               mailer: {
                 magic_link: {
-                  subject: "Here's your login link 🪄✨",
+                  subject: "Here's your magic login link ✨",
                 },
               }
             }
           }
-        })
-        File.open(devise_yaml, "w"){ |f| f.write(config.to_yaml) }
+        }
+        merged_config = config.deep_merge(default_config.deep_stringify_keys)
+        File.open(devise_yaml, "w") do |f|
+          f.write(force_double_quote_yaml(merged_config.to_yaml))
+        end
+      end
+
+      private
+
+      # https://github.com/ruby/psych/issues/322#issuecomment-328408276
+      def force_double_quote_yaml(yaml_str)
+        ast = Psych.parse_stream(yaml_str)
+
+        # First pass, quote everything
+        ast.grep(Psych::Nodes::Scalar).each do |node|
+          node.plain  = false
+          node.quoted = true
+          node.style  = Psych::Nodes::Scalar::DOUBLE_QUOTED
+        end
+
+        # Second pass, unquote keys
+        ast.grep(Psych::Nodes::Mapping).each do |node|
+          node.children.each_slice(2) do |k, _|
+            k.plain  = true
+            k.quoted = false
+            k.style  = Psych::Nodes::Scalar::ANY
+          end
+        end
+
+        ast.yaml(nil, {line_width: -1})
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-passwordless
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Abe Voelker
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-11 00:00:00.000000000 Z
+date: 2020-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: rails
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -120,7 +106,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="