RubyGems - has_secure_passkey - Versions diffs - 0.1.0 - Mend

has_secure_passkey 0.1.0

Files changed (47) hide show

data/app/views/layouts/has_secure_passkey/application.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Has secure passkey</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <%= yield :head %>
+  <%= stylesheet_link_tag    "has_secure_passkey/application", media: "all" %>
+</head>
+<body>
+<%= yield %>
+</body>
+</html>

data/config/importmap.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ pin "has_secure_passkey", to: "has_secure_passkey.js"

data/config/routes.rb ADDED Viewed

@@ -0,0 +1,3 @@
+HasSecurePasskey::Engine.routes.draw do
+  post "/challenges/:session_path", to: "challenges#create", as: :challenges
+end

data/lib/generators/has_secure_passkey/passkeys/passkeys_generator.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+class HasSecurePasskey::PasskeysGenerator < Rails::Generators::Base
+  source_root File.expand_path("templates", __dir__)
+  def create_passkey_files
+    template "app/models/session.rb"
+    template "app/models/person.rb"
+    template "app/models/current.rb"
+    template "app/models/passkey.rb"
+    template "app/controllers/concerns/authentication.rb"
+    template "app/controllers/registrations_controller.rb"
+    template "app/views/registrations/create.turbo_stream.erb"
+    template "app/views/registrations/new.html.erb"
+    template "app/controllers/email_verifications_controller.rb"
+    template "app/views/email_verifications/show.html.erb"
+    template "app/controllers/people_controller.rb"
+    template "app/controllers/sessions_controller.rb"
+    template "app/channels/application_cable/connection.rb" if defined?(ActionCable::Engine)
+    template "app/mailers/email_verification_mailer.rb"
+    template "app/views/email_verification_mailer/verify.html.erb"
+    template "app/views/email_verification_mailer/verify.text.erb"
+    template "test/mailers/previews/email_verification_mailer_preview.rb"
+    append_to_file "app/javascript/application.js", "import \"has_secure_passkey\"\n"
+    insert_into_file "config/environments/development.rb", "  config.x.url = \"http://localhost:3000\"\n", after: "Rails.application.configure do\n"
+    insert_into_file "config/environments/test.rb", "  config.x.url = \"http://example.com\"\n", after: "Rails.application.configure do\n"
+    insert_into_file "config/environments/production.rb", "  config.x.url = \"https://example.com\"\n", after: "Rails.application.configure do\n"
+  end
+  def configure_application_controller
+    inject_into_class "app/controllers/application_controller.rb", "ApplicationController", "  include Authentication\n"
+  end
+  def configure_passkey_routes
+    route "resource :sessions, only: :destroy"
+    route "resources :sessions, only: :create"
+    route "resources :people, only: :create"
+    route "resources :email_verifications, only: :show, param: :webauthn_message"
+    route "resource :registration, only: %i(new create)"
+    route "mount HasSecurePasskey::Engine => \"/has_secure_passkey\""
+  end
+  def add_migrations
+    generate "migration", "CreatePeople", "email_address:string!:uniq webauthn_id:string!", "--force"
+    generate "migration", "CreateSessions", "person:references ip_address:string user_agent:string", "--force"
+    generate "migration", "CreatePasskeys", "authenticatable:references{polymorphic} external_id:string public_key:string sign_count:integer last_used_at:datetime name:string", "--force"
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/channels/application_cable/connection.rb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+    identified_by :current_person
+    def connect
+      set_current_person || reject_unauthorized_connection
+    end
+    private
+      def set_current_person
+        if session = Session.from_cookie(cookies)
+          self.current_person = session.person
+        end
+      end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/concerns/authentication.rb.tt ADDED Viewed

@@ -0,0 +1,59 @@
+module Authentication
+  extend ActiveSupport::Concern
+  included do
+    before_action :require_authentication
+    helper_method :authenticated?
+  end
+  class_methods do
+    def allow_unauthenticated_access(**options)
+      skip_before_action :require_authentication, **options
+    end
+    def prevent_authenticated_access(**options)
+      before_action :require_unauthenticated, **options
+    end
+  end
+  private
+  def authenticated?
+    resume_session
+  end
+  def require_authentication
+    resume_session || request_authentication
+  end
+  def resume_session
+    Current.session ||= Session.from_cookie(cookies)
+  end
+  def request_authentication
+    session[:return_to_after_authenticating] = request.url
+    redirect_to root_path
+  end
+  def after_authentication_url
+    session.delete(:return_to_after_authenticating) || root_url
+  end
+  def require_unauthenticated
+    return unless authenticated?
+    redirect_to root_path, notice: "You are already signed in"
+  end
+  def start_new_session_for(person)
+    person.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
+      Current.session = session
+      cookies.signed.permanent[:session_id] = { value: session.id, httponly: true, same_site: :lax }
+    end
+  end
+  def terminate_session
+    resume_session&.destroy
+    cookies.delete(:session_id)
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/email_verifications_controller.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class EmailVerificationsController < ApplicationController
+  prevent_authenticated_access
+  allow_unauthenticated_access
+  def show
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/people_controller.rb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+class PeopleController < ApplicationController
+  allow_unauthenticated_access
+  prevent_authenticated_access
+  def create
+    @person = Person.create_by_webauthn(params:)
+    start_new_session_for(@person)
+    redirect_to after_authentication_url
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/registrations_controller.rb.tt ADDED Viewed

@@ -0,0 +1,20 @@
+class RegistrationsController < ApplicationController
+  prevent_authenticated_access only: %i(new create)
+  allow_unauthenticated_access only: %i(new create)
+  def new
+    @person = Person.new
+  end
+  def create
+    @person = Person.new(email_address: params[:person][:email_address])
+    if @person.valid?
+      EmailVerificationMailer.verify(@person.attributes).deliver_later
+      render :create
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/controllers/sessions_controller.rb.tt ADDED Viewed

@@ -0,0 +1,20 @@
+class SessionsController < ApplicationController
+  allow_unauthenticated_access
+  prevent_authenticated_access except: :destroy
+  def create
+    if (person = Person.authenticate_by(params:)).present?
+      start_new_session_for(person)
+      redirect_to after_authentication_url
+    else
+      render turbo_stream: turbo_stream.prepend_all("body", "<p>Something went wrong. Try again</p>")
+    end
+  end
+  def destroy
+    terminate_session
+    redirect_to root_path
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/mailers/email_verification_mailer.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class EmailVerificationMailer < ApplicationMailer
+  def verify(person_attributes)
+    @person = Person.new(person_attributes)
+    mail to: @person.email_address, subject: "Verify your email"
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/current.rb.tt ADDED Viewed

@@ -0,0 +1,4 @@
+class Current < ActiveSupport::CurrentAttributes
+  attribute :session
+  delegate :person, to: :session, allow_nil: true
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/passkey.rb.tt ADDED Viewed

@@ -0,0 +1,30 @@
+class Passkey < ApplicationRecord
+  include ActionView::Helpers::DateHelper
+  belongs_to :authenticatable, polymorphic: true
+  validates :external_id, presence: true, uniqueness: true
+  validates :public_key,  presence: true
+  validates :sign_count,  presence: true, numericality: {
+    only_integer: true, greater_than_or_equal_to: 0
+  }
+  before_destroy do
+    if authenticatable.passkeys.excluding(self).blank?
+      errors.add(:base, "Can't remove your only passkey")
+      throw :abort
+    end
+  end
+  def name_or_default
+    name.presence || "security key"
+  end
+  def last_used
+    if last_used_at.present?
+      "Last used #{time_ago_in_words last_used_at} ago"
+    else
+      "Never used"
+    end
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/person.rb.tt ADDED Viewed

@@ -0,0 +1,9 @@
+class Person < ApplicationRecord
+  has_secure_passkey
+  has_many :sessions, dependent: :destroy
+  normalizes :email_address, with: ->(e) { e.strip.downcase }
+  validates :email_address, uniqueness: true, presence: true
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/models/session.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+class Session < ApplicationRecord
+  belongs_to :person
+  def self.from_cookie(cookie_jar)
+    find_by(id: cookie_jar.signed[:session_id])
+  end
+end

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verification_mailer/verify.html.erb.tt ADDED Viewed

	@@ -0,0 +1 @@
1	+ <%%= link_to "Finish signing up", email_verification_url(@person.encode_webauthn_message) %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verification_mailer/verify.text.erb.tt ADDED Viewed

	@@ -0,0 +1 @@
1	+ <%%= email_verification_url(@person.encode_webauthn_message) %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/email_verifications/show.html.erb.tt ADDED Viewed

@@ -0,0 +1,11 @@
+<%% if (prompt = prompt_for_new_passkey(callback: people_path)) %>
+  <h2>Verified!</h2>
+  <p>Let's add your passkey.</p>
+  <%%= prompt %>
+<%% else %>
+  <h2>
+    Hmm, that link looks wrong.
+    <%%= link_to "Try again.", new_registration_path, class: "underline decoration-2" %>
+  </h2>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/registrations/create.turbo_stream.erb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+<%%= turbo_stream.update "new-registration" do %>
+  <div>
+    <h2>We've sent you an email!</h2>
+    <p>Click the link in the email to verify it's you.</p>
+  </div>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/app/views/registrations/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+<%%= form_with model: @person, url: registration_path do |f| %>
+  <%% if @person.errors.any? %>
+    <div style="color: red">
+      <h2><%%= pluralize(@person.errors.count, "error") %> prohibited this person from being saved:</h2>
+      <ul>
+        <%% @person.errors.each do |error| %>
+          <li><%%= error.full_message %></li>
+        <%% end %>
+      </ul>
+    </div>
+  <%% end %>
+  <%%= f.email_field :email_address, autofocus: true, autocomplete: :email, placeholder: "Email" %>
+  <%%= f.submit "Sign up" %>
+<%% end %>

data/lib/generators/has_secure_passkey/passkeys/templates/test/mailers/previews/email_verification_mailer_preview.rb.tt ADDED Viewed

@@ -0,0 +1,7 @@
+# Preview all emails at http://localhost:3000/rails/mailers/email_verification_mailer
+class EmailVerificationMailerPreview < ActionMailer::Preview
+  # Preview this email at http://localhost:3000/rails/mailers/email_verification_mailer/verify
+  def verify
+    EmailVerificationMailer.verify(Person.take.attributes)
+  end
+end

data/lib/has_secure_passkey/active_record_helpers.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module HasSecurePasskey::ActiveRecordHelpers
+  def has_secure_passkey
+    encrypts :webauthn_id, deterministic: true
+    has_many :sessions, dependent: :destroy
+    has_many :passkeys, dependent: :delete_all, as: :authenticatable
+    validates :webauthn_id, uniqueness: true
+    accepts_nested_attributes_for :passkeys
+    before_validation do
+      self.webauthn_id ||= self.class.webauthn_id
+    end
+    define_singleton_method :webauthn_id do
+      WebAuthn.generate_user_id
+    end
+    define_singleton_method :authenticate_by do |params:|
+      HasSecurePasskey::AuthenticateBy.
+        new(model: self, params:).
+        authenticated
+    end
+    define_singleton_method :create_by_webauthn do |params:|
+      authenticatable = new(HasSecurePasskey::OptionsForCreate.
+        from_message(params[:webauthn_message]).authenticatable)
+      ActiveRecord::Base.transaction do
+        unless authenticatable.save && authenticatable.add_passkey(params:)
+          raise ActiveRecord::Rollback
+        end
+      end
+      authenticatable
+    end
+    define_method :add_passkey do |params:|
+      HasSecurePasskey::AddPasskey.
+        new(authenticatable: self, params:).
+        save
+    end
+    define_method :encode_webauthn_message do
+      HasSecurePasskey::OptionsForCreate.new(authenticatable: self).message
+    end
+  end
+end

data/lib/has_secure_passkey/add_passkey.rb ADDED Viewed

@@ -0,0 +1,45 @@
+class HasSecurePasskey::AddPasskey
+  def initialize(authenticatable:, params:)
+    @authenticatable = authenticatable
+    @params = params
+  end
+  def save
+    if valid?
+      passkey.save
+      passkey
+    else
+      false
+    end
+  end
+  private
+  attr_reader :authenticatable, :params
+  delegate_missing_to :credential
+  def credential
+    @credential ||= WebAuthn::Credential.from_create(params)
+  end
+  def valid?
+    credential.verify(challenge)
+  rescue WebAuthn::Error => e
+    authenticatable.errors.add(:passkeys, e.message)
+    false
+  end
+  def passkey
+    @passkey ||= authenticatable.passkeys.build(
+      external_id: credential.id, public_key:, sign_count:
+    )
+  end
+  def challenge
+    HasSecurePasskey::OptionsForCreate.
+      from_message(params[:webauthn_message]).challenge
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    ""
+  end
+end

data/lib/has_secure_passkey/authenticate_by.rb ADDED Viewed

@@ -0,0 +1,49 @@
+class HasSecurePasskey::AuthenticateBy
+  def initialize(model:, params:)
+    @model = model
+    @params = params
+  end
+  def authenticated
+    return @authenticated if defined?(@authenticated)
+    @authenticated =
+      if valid?
+        passkey.authenticatable
+      end
+  end
+  private
+  attr_reader :params, :model
+  def valid?
+    passkey.present? && verified? &&
+      passkey.update(sign_count: webauthn_credential.sign_count) &&
+      passkey.touch(:last_used_at)
+  end
+  def webauthn_credential
+    @webauthn_credential ||= WebAuthn::Credential.from_get(params)
+  end
+  def passkey
+    @passkey ||= Passkey.find_by(
+      external_id: webauthn_credential.id, authenticatable_type: model.to_s
+    )
+  end
+  def verified?
+    webauthn_credential.verify(challenge, public_key: passkey.public_key,
+                                          sign_count: passkey.sign_count)
+  rescue WebAuthn::Error, WebAuthn::SignCountVerificationError
+    false
+  end
+  def challenge
+    HasSecurePasskey::OptionsForGet.
+      from_message(params[:webauthn_message]).challenge
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    ""
+  end
+end

data/lib/has_secure_passkey/engine.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module HasSecurePasskey
+  class Engine < ::Rails::Engine
+    isolate_namespace HasSecurePasskey
+    config.eager_load_namespaces << HasSecurePasskey
+    config.autoload_once_paths = %W(
+      #{root}/app/helpers
+    )
+    initializer "has_secure_passkey.webauthn" do |app|
+      WebAuthn.configure do |config|
+        config.origin = ENV.fetch("APP_URL", app.config.x.url)
+        config.rp_name = app.name
+        config.credential_options_timeout = 120_000
+      end
+    end
+    initializer "has_secure_passkey.assets" do
+      if Rails.application.config.respond_to?(:assets)
+        Rails.application.config.assets.precompile += %w(has_secure_passkey.js)
+      end
+    end
+    initializer "has_secure_passkey.importmap", before: "importmap" do |app|
+      if Rails.application.respond_to?(:importmap)
+        app.config.importmap.paths << Engine.root.join("config/importmap.rb")
+      end
+    end
+    initializer "has_secure_passkey.helpers", before: :load_config_initializers do
+      ActiveSupport.on_load(:action_controller_base) do
+        helper HasSecurePasskey::Engine.helpers
+      end
+    end
+    initializer "has_secure_passkey.active_record_helpers" do
+      ActiveSupport.on_load(:active_record) do
+        extend HasSecurePasskey::ActiveRecordHelpers
+      end
+    end
+  end
+end

data/lib/has_secure_passkey/options_for_create.rb ADDED Viewed

@@ -0,0 +1,49 @@
+class HasSecurePasskey::OptionsForCreate
+  class << self
+    def verifier
+      Rails.application.message_verifier("passkey_signup")
+    end
+    def from_message(message)
+      new(**verifier.verify(message).symbolize_keys).tap do
+        _1.authenticatable.symbolize_keys! if _1.authenticatable.is_a?(Hash)
+      end
+    end
+  end
+  def initialize(authenticatable:, options: nil, challenge: nil)
+    @authenticatable = authenticatable
+    @options = options
+    @challenge = challenge
+  end
+  def message
+    self.class.verifier.generate(
+      { challenge:, options:,
+        authenticatable: authenticatable.as_json(only: %i(email_address webauthn_id)) }.as_json
+    )
+  end
+  def options
+    @options ||= { publicKey: credential }
+  end
+  def as_json
+    options
+  end
+  def challenge
+    @challenge ||= credential.challenge
+  end
+  attr_reader :authenticatable
+  private
+  def credential
+    @credential ||= WebAuthn::Credential.options_for_create(
+      user: { name: authenticatable.email_address, id: authenticatable.webauthn_id },
+      exclude: authenticatable.passkeys.pluck(:external_id)
+    )
+  end
+end

data/lib/has_secure_passkey/options_for_get.rb ADDED Viewed

@@ -0,0 +1,34 @@
+class HasSecurePasskey::OptionsForGet
+  class << self
+    def verifier
+      Rails.application.message_verifier("passkey_login")
+    end
+    def from_message(message)
+      new(**verifier.verify(message).symbolize_keys)
+    end
+  end
+  def initialize(challenge: nil)
+    @challenge = challenge
+  end
+  def message
+    self.class.verifier.generate({ challenge: })
+  end
+  def challenge
+    @challenge ||= credential.challenge
+  end
+  def as_json
+    { publicKey: credential.as_json }
+  end
+  private
+  def credential
+    @credential ||= WebAuthn::Credential.
+      options_for_get(user_verification: "discouraged")
+  end
+end

data/lib/has_secure_passkey/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module HasSecurePasskey
+  VERSION = "0.1.0"
+end

data/lib/has_secure_passkey.rb ADDED Viewed

@@ -0,0 +1,12 @@
+require "webauthn"
+require "has_secure_passkey/version"
+require "has_secure_passkey/engine"
+require "has_secure_passkey/options_for_create"
+require "has_secure_passkey/options_for_get"
+require "has_secure_passkey/active_record_helpers"
+require "has_secure_passkey/authenticate_by"
+require "has_secure_passkey/add_passkey"
+module HasSecurePasskey
+end

data/lib/tasks/has_secure_passkey_tasks.rake ADDED Viewed

@@ -0,0 +1,5 @@
+desc "Install passkeys"
+task :passkeys do
+  Rails::Command.invoke :generate, [ "has_secure_passkey:passkeys" ]
+  Rails::Command.invoke "db:encryption:init"
+end