login-control 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 576dfb778fef6f08e892aee929fb44b15ac51de82b8bca41a6d5b7fa5291cf1e
+  data.tar.gz: 15f8547991b86ae2f90b212cfc639ad67e8fd2556acd5851b7fc2b9894d6a337
+SHA512:
+  metadata.gz: 5668048e7774db39f276303cc32d9bf6e1538a3300c4118bea7c520eb32ee263203c9afb7b8a60a9ba48a76be4cdcf430029015ddd1ee334d587d1c52dcd7bd1
+  data.tar.gz: 480d115794fb3726822b090718eb5dd941aed63db411bb1931290944307cd8db0f6742db01c1ebac8a748d312372e05f474cbb2a29f19c08b0845d41d66b6f33

data/README.md

@@ -0,0 +1,64 @@
+## Description
+
+The Attempt here is to give more flexibility on multiple signup barriers, like captacha or 2fa. Based on the requests it gives you a decisive criteria of the barriers a user have to take for sign in. It stores a permanent cookie and a table for tracking requests for specific routes you track within a controller method.
+
+its built for systems on higher security requirements, for users which have sign-in multiple times on same login.
+
+## Features
+
+The `RequestControlViewHelper.captcha_tag?` delivers true if captcha is necessary and showed on a login form.
+
+This decision is based on the status of failed login attempts, which is stored in rails-session-cookie.
+
+For a user that had never a successfully login, `captcha_tag?` is always true. After first successful login, `captcha_tag?` is true if `attempts` are less than configured (default: 10) and `last_attempt` is older than `config.x.login_control.retry_after_seconds` 
+
+On localhost captcha is never required.
+
+## Installation
+
+`gem 'request-control'
+
+run 
+```
+$ bundle
+$ rails g model login_control session_id:string login_name:string scope:string sign_in_success:integer attempts:integer last_attempt:datetime validate_captcha:boolean
+$ rails db:migrate
+```
+
+Login Form
+
+`include RequestControlViewHelper`
+
+```
+  - if captcha_tag?
+    = hcaptcha xxx
+```
+
+Controller example for subclassed devise controller
+
+```
+class SessionsController < Devise::SessionsController
+
+  include RequestControlModule
+
+  def create
+    notice_request_attempt
+    if (captcha_validation? ? verify_hcaptcha(secret_key: ...) : true) && credentials-matched
+      super
+      notice_successful_request
+    else
+      redirect_to login_path, alert: 'captcha failed' 
+    end
+  end
+end
+```
+
+## Configs
+
+`config.x.login_control.attempts_allowed` integer, default: 10
+
+`config.x.login_control.retry_after_seconds` integer, default: 30 (seconds) # => if, after a failed login, within status `:known`, within `attempts_allowed`, within `retry_after_seconds` `RequestControlViewHelper.captcha_tag?` returns true
+
+`config.x.login_control.debug` boolean, default: false only for production
+
+

data/lib/login_control_module.rb

@@ -0,0 +1,56 @@
+module LoginControlModule
+
+  # check if captcha is to validate (does not store a cookie)
+  def captcha_validation?(scope: :global, login_name: nil)
+    rec = rc_record(scope, login_name)
+    rec ? rec.validate_captcha : true
+  end
+
+  # stores cookie, count-up sign_in_success, set attempts count to 1
+
+  def notice_successful_request(scope: :global, login_name: nil)
+    rec = find_or_build_rc_record(scope, login_name)
+    rec.sign_in_success = rec.sign_in_success.to_i + 1
+    rec.attempts = 1
+    rec.save!
+    logger.info "REQUEST-CONTROL => #{rec.sign_in_success}. successful request noticed" if debug_request_control
+  end
+
+  # stores cookie, counts up attempts
+
+  def notice_request_attempt(scope: :global, login_name: nil)
+    rec = find_or_build_rc_record(scope, login_name)
+    rec.attempts = rec.attempts.to_i + 1
+    rec.save!
+    logger.info "REQUEST-CONTROL => #{rec.attempts}. failed request noticed" if debug_request_control
+  end
+
+  private
+
+  # read or store encrypted permanent cookie «login_control»
+
+  def find_or_build_rc_record(scope, login_name)
+    id = cookies.encrypted.permanent[:login_control]
+    if id.present?
+      rc_record(scope, login_name, id: id)
+    else
+      id = SecureRandom.hex(20)
+      cookies.encrypted.permanent[:login_control] = id
+      LoginControl.new(session_id: id, scope: scope, login_name: login_name)
+    end
+  end
+
+  # read cookie «login_control»
+  def rc_record(scope, login_name, id: cookies.encrypted.permanent[:login_control])
+    if id
+      LoginControl.find_by(session_id: id, scope: scope, login_name: login_name)
+    else
+      nil
+    end
+  end
+
+  def debug_request_control
+    Rails.configuration.x.login_control.debug || !Rails.env.production?
+  end
+
+end

data/lib/login_control_view_helper.rb

@@ -0,0 +1,45 @@
+module LoginControlViewHelper
+
+  # true if captcha tag is showed on a login form
+  # the result is saved in rails-session-cookie and later picked up by LoginControlModule.captcha_validation?
+
+  def captcha_tag?(scope: :global, login_name: nil)
+    debug = (Rails.configuration.x.login_control.debug || !Rails.env.production?)
+    rc_id = cookies.encrypted.permanent[:login_control]
+    if request.host == 'localhost'
+      logger.info 'REQUEST-CONTROL => no captcha because of localhost' if debug
+      false
+    elsif !rc_id.present?
+      logger.info 'REQUEST-CONTROL => captcha because no cookie stored yet' if debug
+      true
+    else
+      logger.info 'REQUEST-CONTROL => cookie found ...' if debug
+      rec = LoginControl.find_by(session_id: rc_id, scope: scope, login_name: login_name)
+      if !rec
+        logger.info 'REQUEST-CONTROL => captcha required because no record found(!)' if debug
+        true
+      else
+        logger.info 'REQUEST-CONTROL => record found ...' if debug
+        captcha_requested = true
+
+        attempts_allowed = (Rails.configuration.x.login_control.attempts_allowed || 10)
+        retry_after_seconds = (Rails.configuration.x.login_control.retry_after_seconds || 30)
+        logger.info "REQUEST-CONTROL => #{rec.attempts.to_i}. attempt (config.x.attempts_allowed: #{attempts_allowed})" if debug
+
+        if rec.attempts.to_i <= attempts_allowed
+          secs = Time.now - rec.updated_at
+          captcha_requested = retry_after_seconds.to_f >= secs
+          logger.info "REQUEST-CONTROL => captcha #{captcha_requested ? '' : 'NOT '}requested: config.x.retry_after_seconds(#{retry_after_seconds}) >= secs(#{secs})" if debug
+        end
+
+        rec.update!(validate_captcha: captcha_requested)
+        captcha_requested
+      end
+    end
+  end
+
+  # Text for ask a user for storing a cookie
+
+  REQUEST_CONTROL_COOKIE_TXT = "On first login attempt this service stores a permanent cookie. It tracks login attempts. Only aim is securing and, on the other hand, simplifying access."
+
+end

metadata

@@ -0,0 +1,46 @@
+--- !ruby/object:Gem::Specification
+name: login-control
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Christian Sedlmair
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-01-07 00:00:00.000000000 Z
+dependencies: []
+description: Based on Login Attempts check if captcha is necessary. It stores a permanent
+  cookie and uses a table for tracking login requests.
+email: christian@sedlmair.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/login_control_module.rb
+- lib/login_control_view_helper.rb
+homepage: https://rubygems.org/gems/request-control
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.17
+signing_key:
+specification_version: 4
+summary: Lib for simplifying and securing login.
+test_files: []