RubyGems - has_secure_passkey - Versions diffs - 0.1.0 - Mend

has_secure_passkey 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

data/app/views/layouts/has_secure_passkey/application.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Has secure passkey</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <%= yield :head %>
+  <%= stylesheet_link_tag    "has_secure_passkey/application", media: "all" %>
+</head>
+<body>
+<%= yield %>
+</body>
+</html>

data/config/importmap.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ pin "has_secure_passkey", to: "has_secure_passkey.js"

data/config/routes.rb ADDED Viewed

@@ -0,0 +1,3 @@
+HasSecurePasskey::Engine.routes.draw do
+  post "/challenges/:session_path", to: "challenges#create", as: :challenges
+end

data/lib/generators/has_secure_passkey/passkeys/passkeys_generator.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+class HasSecurePasskey::PasskeysGenerator < Rails::Generators::Base
+  source_root File.expand_path("templates", __dir__)
+  def create_passkey_files
+    template "app/models/session.rb"
+    template "app/models/person.rb"
+    template "app/models/current.rb"
+    template "app/models/passkey.rb"
+    template "app/controllers/concerns/authentication.rb"
+    template "app/controllers/registrations_controller.rb"
+    template "app/views/registrations/create.turbo_stream.erb"
+    template "app/views/registrations/new.html.erb"
+    template "app/controllers/email_verifications_controller.rb"
+    template "app/views/email_verifications/show.html.erb"
+    template "app/controllers/people_controller.rb"
+    template "app/controllers/sessions_controller.rb"
+    template "app/channels/application_cable/connection.rb" if defined?(ActionCable::Engine)
+    template "app/mailers/email_verification_mailer.rb"
+    template "app/views/email_verification_mailer/verify.html.erb"
+    template "app/views/email_verification_mailer/verify.text.erb"
+    template "test/mailers/previews/email_verification_mailer_preview.rb"
+    append_to_file "app/javascript/application.js", "import \"has_secure_passkey\"\n"
+    insert_into_file "config/environments/development.rb", "  config.x.url = \"http://localhost:3000\"\n", after: "Rails.application.configure do\n"
+    insert_into_file "config/environments/test.rb", "  config.x.url = \"http://example.com\"\n", after: "Rails.application.configure do\n"
+    insert_into_file "config/environments/production.rb", "  config.x.url = \"https://example.com\"\n", after: "Rails.application.configure do\n"
+  end
+  def configure_application_controller
+    inject_into_class "app/controllers/application_controller.rb", "ApplicationController", "  include Authentication\n"
+  end
+  def configure_passkey_routes
+    route "resource :sessions, only: :destroy"
+    route "resources :sessions, only: :create"
+    route "resources :people, only: :create"
+    route "resources :email_verifications, only: :show, param: :webauthn_message"
+    route "resource :registration, only: %i(new create)"
+    route "mount HasSecurePasskey::Engine => \"/has_secure_passkey\""
+  end
+  def add_migrations
+    generate "migration", "CreatePeople", "email_address:string!:uniq webauthn_id:string!", "--force"
+    generate "migration", "CreateSessions", "person:references ip_address:string user_agent:string", "--force"
+    generate "migration", "CreatePasskeys", "authenticatable:references{polymorphic} external_id:string public_key:string sign_count:integer last_used_at:datetime name:string", "--force"
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/channels/application_cable/connection.rb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+    identified_by :current_person
+    def connect
+      set_current_person || reject_unauthorized_connection
+    end
+    private
+      def set_current_person
+        if session = Session.from_cookie(cookies)
+          self.current_person = session.person
+        end
+      end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/concerns/authentication.rb.tt ADDED Viewed

@@ -0,0 +1,59 @@
+module Authentication
+  extend ActiveSupport::Concern
+  included do
+    before_action :require_authentication
+    helper_method :authenticated?
+  end
+  class_methods do
+    def allow_unauthenticated_access(**options)
+      skip_before_action :require_authentication, **options
+    end
+    def prevent_authenticated_access(**options)
+      before_action :require_unauthenticated, **options
+    end
+  end
+  private
+  def authenticated?
+    resume_session
+  end
+  def require_authentication
+    resume_session || request_authentication
+  end
+  def resume_session
+    Current.session ||= Session.from_cookie(cookies)
+  end
+  def request_authentication
+    session[:return_to_after_authenticating] = request.url
+    redirect_to root_path
+  end
+  def after_authentication_url
+    session.delete(:return_to_after_authenticating) || root_url
+  end
+  def require_unauthenticated
+    return unless authenticated?
+    redirect_to root_path, notice: "You are already signed in"
+  end
+  def start_new_session_for(person)
+    person.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
+      Current.session = session
+      cookies.signed.permanent[:session_id] = { value: session.id, httponly: true, same_site: :lax }
+    end
+  end
+  def terminate_session
+    resume_session&.destroy
+    cookies.delete(:session_id)
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/email_verifications_controller.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class EmailVerificationsController < ApplicationController
+  prevent_authenticated_access
+  allow_unauthenticated_access
+  def show
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/people_controller.rb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+class PeopleController < ApplicationController
+  allow_unauthenticated_access
+  prevent_authenticated_access
+  def create
+    @person = Person.create_by_webauthn(params:)
+    start_new_session_for(@person)
+    redirect_to after_authentication_url
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/registrations_controller.rb.tt ADDED Viewed

@@ -0,0 +1,20 @@
+class RegistrationsController < ApplicationController
+  prevent_authenticated_access only: %i(new create)
+  allow_unauthenticated_access only: %i(new create)
+  def new
+    @person = Person.new
+  end
+  def create
+    @person = Person.new(email_address: params[:person][:email_address])
+    if @person.valid?
+      EmailVerificationMailer.verify(@person.attributes).deliver_later
+      render :create
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/sessions_controller.rb.tt ADDED Viewed

@@ -0,0 +1,20 @@
+class SessionsController < ApplicationController
+  allow_unauthenticated_access
+  prevent_authenticated_access except: :destroy
+  def create
+    if (person = Person.authenticate_by(params:)).present?
+      start_new_session_for(person)
+      redirect_to after_authentication_url
+    else
+      render turbo_stream: turbo_stream.prepend_all("body", "<p>Something went wrong. Try again</p>")
+    end
+  end
+  def destroy
+    terminate_session
+    redirect_to root_path
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/mailers/email_verification_mailer.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class EmailVerificationMailer < ApplicationMailer
+  def verify(person_attributes)
+    @person = Person.new(person_attributes)
+    mail to: @person.email_address, subject: "Verify your email"
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/current.rb.tt ADDED Viewed

@@ -0,0 +1,4 @@
+class Current < ActiveSupport::CurrentAttributes
+  attribute :session
+  delegate :person, to: :session, allow_nil: true
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/passkey.rb.tt ADDED Viewed

@@ -0,0 +1,30 @@
+class Passkey < ApplicationRecord
+  include ActionView::Helpers::DateHelper
+  belongs_to :authenticatable, polymorphic: true
+  validates :external_id, presence: true, uniqueness: true
+  validates :public_key,  presence: true
+  validates :sign_count,  presence: true, numericality: {
+    only_integer: true, greater_than_or_equal_to: 0
+  }
+  before_destroy do
+    if authenticatable.passkeys.excluding(self).blank?
+      errors.add(:base, "Can't remove your only passkey")
+      throw :abort
+    end
+  end
+  def name_or_default
+    name.presence || "security key"
+  end
+  def last_used
+    if last_used_at.present?
+      "Last used #{time_ago_in_words last_used_at} ago"
+    else
+      "Never used"
+    end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/person.rb.tt ADDED Viewed

@@ -0,0 +1,9 @@
+class Person < ApplicationRecord
+  has_secure_passkey
+  has_many :sessions, dependent: :destroy
+  normalizes :email_address, with: ->(e) { e.strip.downcase }
+  validates :email_address, uniqueness: true, presence: true
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/session.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class Session < ApplicationRecord
+  belongs_to :person
+  def self.from_cookie(cookie_jar)
+    find_by(id: cookie_jar.signed[:session_id])
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verification_mailer/verify.html.erb.tt ADDED Viewed

	@@ -0,0 +1 @@
1	+ <%%= link_to "Finish signing up", email_verification_url(@person.encode_webauthn_message) %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verification_mailer/verify.text.erb.tt ADDED Viewed

	@@ -0,0 +1 @@
1	+ <%%= email_verification_url(@person.encode_webauthn_message) %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verifications/show.html.erb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+<%% if (prompt = prompt_for_new_passkey(callback: people_path)) %>
+  <h2>Verified!</h2>
+  <p>Let's add your passkey.</p>
+  <%%= prompt %>
+<%% else %>
+  <h2>
+    Hmm, that link looks wrong.
+    <%%= link_to "Try again.", new_registration_path, class: "underline decoration-2" %>
+  </h2>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/registrations/create.turbo_stream.erb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+<%%= turbo_stream.update "new-registration" do %>
+  <div>
+    <h2>We've sent you an email!</h2>
+    <p>Click the link in the email to verify it's you.</p>
+  </div>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/registrations/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+<%%= form_with model: @person, url: registration_path do |f| %>
+  <%% if @person.errors.any? %>
+    <div style="color: red">
+      <h2><%%= pluralize(@person.errors.count, "error") %> prohibited this person from being saved:</h2>
+      <ul>
+        <%% @person.errors.each do |error| %>
+          <li><%%= error.full_message %></li>
+        <%% end %>
+      </ul>
+    </div>
+  <%% end %>
+  <%%= f.email_field :email_address, autofocus: true, autocomplete: :email, placeholder: "Email" %>
+  <%%= f.submit "Sign up" %>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/test/mailers/previews/email_verification_mailer_preview.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+# Preview all emails at http://localhost:3000/rails/mailers/email_verification_mailer
+class EmailVerificationMailerPreview < ActionMailer::Preview
+  # Preview this email at http://localhost:3000/rails/mailers/email_verification_mailer/verify
+  def verify
+    EmailVerificationMailer.verify(Person.take.attributes)
+  end
+end

data/lib/has_secure_passkey/active_record_helpers.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module HasSecurePasskey::ActiveRecordHelpers
+  def has_secure_passkey
+    encrypts :webauthn_id, deterministic: true
+    has_many :sessions, dependent: :destroy
+    has_many :passkeys, dependent: :delete_all, as: :authenticatable
+    validates :webauthn_id, uniqueness: true
+    accepts_nested_attributes_for :passkeys
+    before_validation do
+      self.webauthn_id ||= self.class.webauthn_id
+    end
+    define_singleton_method :webauthn_id do
+      WebAuthn.generate_user_id
+    end
+    define_singleton_method :authenticate_by do |params:|
+      HasSecurePasskey::AuthenticateBy.
+        new(model: self, params:).
+        authenticated
+    end
+    define_singleton_method :create_by_webauthn do |params:|
+      authenticatable = new(HasSecurePasskey::OptionsForCreate.
+        from_message(params[:webauthn_message]).authenticatable)
+      ActiveRecord::Base.transaction do
+        unless authenticatable.save && authenticatable.add_passkey(params:)
+          raise ActiveRecord::Rollback
+        end
+      end
+      authenticatable
+    end
+    define_method :add_passkey do |params:|
+      HasSecurePasskey::AddPasskey.
+        new(authenticatable: self, params:).
+        save
+    end
+    define_method :encode_webauthn_message do
+      HasSecurePasskey::OptionsForCreate.new(authenticatable: self).message
+    end
+  end
+end

data/lib/has_secure_passkey/add_passkey.rb ADDED Viewed

@@ -0,0 +1,45 @@
+class HasSecurePasskey::AddPasskey
+  def initialize(authenticatable:, params:)
+    @authenticatable = authenticatable
+    @params = params
+  end
+  def save
+    if valid?
+      passkey.save
+      passkey
+    else
+      false
+    end
+  end
+  private
+  attr_reader :authenticatable, :params
+  delegate_missing_to :credential
+  def credential
+    @credential ||= WebAuthn::Credential.from_create(params)
+  end
+  def valid?
+    credential.verify(challenge)
+  rescue WebAuthn::Error => e
+    authenticatable.errors.add(:passkeys, e.message)
+    false
+  end
+  def passkey
+    @passkey ||= authenticatable.passkeys.build(
+      external_id: credential.id, public_key:, sign_count:
+    )
+  end
+  def challenge
+    HasSecurePasskey::OptionsForCreate.
+      from_message(params[:webauthn_message]).challenge
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    ""
+  end
+end

data/lib/has_secure_passkey/authenticate_by.rb ADDED Viewed

@@ -0,0 +1,49 @@
+class HasSecurePasskey::AuthenticateBy
+  def initialize(model:, params:)
+    @model = model
+    @params = params
+  end
+  def authenticated
+    return @authenticated if defined?(@authenticated)
+    @authenticated =
+      if valid?
+        passkey.authenticatable
+      end
+  end
+  private
+  attr_reader :params, :model
+  def valid?
+    passkey.present? && verified? &&
+      passkey.update(sign_count: webauthn_credential.sign_count) &&
+      passkey.touch(:last_used_at)
+  end
+  def webauthn_credential
+    @webauthn_credential ||= WebAuthn::Credential.from_get(params)
+  end
+  def passkey
+    @passkey ||= Passkey.find_by(
+      external_id: webauthn_credential.id, authenticatable_type: model.to_s
+    )
+  end
+  def verified?
+    webauthn_credential.verify(challenge, public_key: passkey.public_key,
+                                          sign_count: passkey.sign_count)
+  rescue WebAuthn::Error, WebAuthn::SignCountVerificationError
+    false
+  end
+  def challenge
+    HasSecurePasskey::OptionsForGet.
+      from_message(params[:webauthn_message]).challenge
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    ""
+  end
+end

data/lib/has_secure_passkey/engine.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module HasSecurePasskey
+  class Engine < ::Rails::Engine
+    isolate_namespace HasSecurePasskey
+    config.eager_load_namespaces << HasSecurePasskey
+    config.autoload_once_paths = %W(
+      #{root}/app/helpers
+    )
+    initializer "has_secure_passkey.webauthn" do |app|
+      WebAuthn.configure do |config|
+        config.origin = ENV.fetch("APP_URL", app.config.x.url)
+        config.rp_name = app.name
+        config.credential_options_timeout = 120_000
+      end
+    end
+    initializer "has_secure_passkey.assets" do
+      if Rails.application.config.respond_to?(:assets)
+        Rails.application.config.assets.precompile += %w(has_secure_passkey.js)
+      end
+    end
+    initializer "has_secure_passkey.importmap", before: "importmap" do |app|
+      if Rails.application.respond_to?(:importmap)
+        app.config.importmap.paths << Engine.root.join("config/importmap.rb")
+      end
+    end
+    initializer "has_secure_passkey.helpers", before: :load_config_initializers do
+      ActiveSupport.on_load(:action_controller_base) do
+        helper HasSecurePasskey::Engine.helpers
+      end
+    end
+    initializer "has_secure_passkey.active_record_helpers" do
+      ActiveSupport.on_load(:active_record) do
+        extend HasSecurePasskey::ActiveRecordHelpers
+      end
+    end
+  end
+end

data/lib/has_secure_passkey/options_for_create.rb ADDED Viewed

@@ -0,0 +1,49 @@
+class HasSecurePasskey::OptionsForCreate
+  class << self
+    def verifier
+      Rails.application.message_verifier("passkey_signup")
+    end
+    def from_message(message)
+      new(**verifier.verify(message).symbolize_keys).tap do
+        _1.authenticatable.symbolize_keys! if _1.authenticatable.is_a?(Hash)
+      end
+    end
+  end
+  def initialize(authenticatable:, options: nil, challenge: nil)
+    @authenticatable = authenticatable
+    @options = options
+    @challenge = challenge
+  end
+  def message
+    self.class.verifier.generate(
+      { challenge:, options:,
+        authenticatable: authenticatable.as_json(only: %i(email_address webauthn_id)) }.as_json
+    )
+  end
+  def options
+    @options ||= { publicKey: credential }
+  end
+  def as_json
+    options
+  end
+  def challenge
+    @challenge ||= credential.challenge
+  end
+  attr_reader :authenticatable
+  private
+  def credential
+    @credential ||= WebAuthn::Credential.options_for_create(
+      user: { name: authenticatable.email_address, id: authenticatable.webauthn_id },
+      exclude: authenticatable.passkeys.pluck(:external_id)
+    )
+  end
+end

data/lib/has_secure_passkey/options_for_get.rb ADDED Viewed

@@ -0,0 +1,34 @@
+class HasSecurePasskey::OptionsForGet
+  class << self
+    def verifier
+      Rails.application.message_verifier("passkey_login")
+    end
+    def from_message(message)
+      new(**verifier.verify(message).symbolize_keys)
+    end
+  end
+  def initialize(challenge: nil)
+    @challenge = challenge
+  end
+  def message
+    self.class.verifier.generate({ challenge: })
+  end
+  def challenge
+    @challenge ||= credential.challenge
+  end
+  def as_json
+    { publicKey: credential.as_json }
+  end
+  private
+  def credential
+    @credential ||= WebAuthn::Credential.
+      options_for_get(user_verification: "discouraged")
+  end
+end

data/lib/has_secure_passkey/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module HasSecurePasskey
+  VERSION = "0.1.0"
+end

data/lib/has_secure_passkey.rb ADDED Viewed

@@ -0,0 +1,12 @@
+require "webauthn"
+require "has_secure_passkey/version"
+require "has_secure_passkey/engine"
+require "has_secure_passkey/options_for_create"
+require "has_secure_passkey/options_for_get"
+require "has_secure_passkey/active_record_helpers"
+require "has_secure_passkey/authenticate_by"
+require "has_secure_passkey/add_passkey"
+module HasSecurePasskey
+end

data/lib/tasks/has_secure_passkey_tasks.rake ADDED Viewed

@@ -0,0 +1,5 @@
+desc "Install passkeys"
+task :passkeys do
+  Rails::Command.invoke :generate, [ "has_secure_passkey:passkeys" ]
+  Rails::Command.invoke "db:encryption:init"
+end