minimalist_authentication 2.7.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4bb59b8f43fd47739bb2d9751c0c3922100c563a244c24b33760d421c87e25c
-  data.tar.gz: 0cdfcf49e0fb66c595cc1be8f24f8dbab0b8c072158f5571caad2dc47f7d9799
+  metadata.gz: a82f3a3833f400b37555173885d052000dfbd5e4a67da90068384558f8d97705
+  data.tar.gz: 48b819ddbb26a5cb5deaa03c5cd3ef943394e93d6390286d3f30cbae7e5e8477
 SHA512:
-  metadata.gz: 31b964fc19564faf080f6a93c6a36108baea9748f0305eaaf85b3e5cf37d68024f6a2f0fc71bb350b7dd41c5b8c853a40924f4f33fe69750c04124fcf14e86a1
-  data.tar.gz: 96ad19ef5f1a5b4cee6d99782c5ee52b3033e57bb8db59288876d223098442fd3ab567c355f48c4c030e50095c9b684dbb85a2b0600c172754babf989aa21eb0
+  metadata.gz: c867bd7daebdce0f0998e78db4d05ed89bd8d3767d6bb0dc79e362f74ca8e2ac43e930dffb0f396d3d1f4f6b517d26fee00e03e06c32a8afd4b52fb0d03984b7
+  data.tar.gz: de8329fcb5b6bd2d01e9a421818952e6f362d4ff16a3e060d30e5b3afbd4751d56e4c0d37b1a3d80d917baf48dea36b407a2fbfc8f647019fa896529d82bf3a2

data/README.md

@@ -16,12 +16,12 @@ $ bundle
 
 Create a user model with **email** for an identifier:
 ```bash
-bin/rails generate model user active:boolean email:string password_hash:string last_logged_in_at:datetime
+bin/rails generate model user active:boolean email:string password_digest:string last_logged_in_at:datetime
 ```
 
 OR create a user model with **username** for an identifier:
 ```bash
-bin/rails generate model user active:boolean username:string password_hash:string last_logged_in_at:datetime
+bin/rails generate model user active:boolean username:string password_digest:string last_logged_in_at:datetime
 ```
 
 
@@ -79,12 +79,11 @@ end
 
 
 ## Fixtures
-Use **MinimalistAuthentication::Password.create** to create a password for
-fixture users.
+Use **MinimalistAuthentication::TestHelper::PASSWORD_DIGEST** to create a password_digest for fixture users.
 ```yaml
 example_user:
-  email:          user@example.com
-  password_hash:  <%= MinimalistAuthentication::Password.create("test-password") %>
+  email:            user@example.com
+  password_digest:  <%= MinimalistAuthentication::TestHelper::PASSWORD_DIGEST %>
 ```
 
 
@@ -124,6 +123,8 @@ bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetim
 
 
 ## Conversions
+
+### Upgrading to Version 2.0
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database
 (crypted_password and salt). The current version of MinimalistAuthentication
@@ -141,10 +142,26 @@ MinimalistAuthentication::Conversions::MergePasswordHash.run!
 When the conversion is complete the **crypted_password**, **salt**, and
 **using_digest_version** fields can safely be removed.
 
+### Upgrading to Version 3.0
+Version 3.0 of MinimalistAuthentication uses the Rails has_secure_password for authentication. This change requires either renaming the **password_hash** column to **password_digest** or adding an alias_attribute to map **password_digest** to **password_hash**.
 
-## Build
-[![Build Status](https://travis-ci.org/wwidea/minimalist_authentication.svg?branch=master)](https://travis-ci.org/wwidea/minimalist_authentication)
+#### Rename the **password_hash** column to **password_digest**
+Add a migration to rename the column in your users table:
+```bash
+bin/rails generate migration rename_users_password_hash_to_password_digest
+```
 
+Update the change method:
+```ruby
+def change
+  rename_column :users, :password_hash, :password_digest
+end
+```
+
+#### Alternatively, add **alias_attribute** to your user model
+```ruby
+alias_attribute :password_digest, :password_hash
+```
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT)..

data/app/views/passwords/edit.html.erb

@@ -1,5 +1,7 @@
 <h1>Edit Password</h1>
 
+<%= @user.errors.full_messages if @user.errors.any? %>
+
 <%= form_for @user, as: :user, url: user_password_path(@user, token: @token), html: { method: :put } do |form| %>
   <div>
     <%= form.label          :password %>

data/lib/minimalist_authentication/configuration.rb

@@ -39,7 +39,7 @@ module MinimalistAuthentication
     # Defaults to true
     attr_accessor :request_email
 
-    # Vefify users email address at login.
+    # Verify users email address at login.
     # Defaults to true.
     attr_accessor :verify_email
 

data/lib/minimalist_authentication/controller.rb

@@ -48,9 +48,5 @@ module MinimalistAuthentication
     def store_location
       session["return_to"] = url_for(request.params.merge(format: :html, only_path: true))
     end
-
-    def redirect_back_or_default(default)
-      redirect_to(session.delete("return_to") || default)
-    end
   end
 end

data/lib/minimalist_authentication/sessions.rb

@@ -5,6 +5,9 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
+      # URL to redirect to after successful login
+      attr_accessor :return_to
+
       skip_before_action  :authorization_required,    only: %i[new create]
       before_action       :redirect_logged_in_users,  only: :new
     end
@@ -23,7 +26,7 @@ module MinimalistAuthentication
     end
 
     def destroy
-      scrub_session!
+      reset_session
       redirect_to logout_redirect_to, notice: t(".notice"), status: :see_other
     end
 
@@ -38,7 +41,8 @@ module MinimalistAuthentication
     end
 
     def log_in_user
-      scrub_session!
+      self.return_to = session["return_to"]
+      reset_session
       authenticated_user.logged_in
       session[MinimalistAuthentication.configuration.session_key] = authenticated_user.id
     end
@@ -62,7 +66,7 @@ module MinimalistAuthentication
     end
 
     def after_authentication_success
-      redirect_back_or_default(login_redirect_to)
+      redirect_to return_to || login_redirect_to
     end
 
     def attempting_to_verify?
@@ -80,12 +84,6 @@ module MinimalistAuthentication
       user_params.values_at(*MinimalistAuthentication::Authenticator::LOGIN_FIELDS).compact.first
     end
 
-    def scrub_session!
-      (session.keys - %w[session_id return_to]).each do |key|
-        session.delete(key)
-      end
-    end
-
     def login_redirect_to
       send(MinimalistAuthentication.configuration.login_redirect_path)
     end

data/lib/minimalist_authentication/test_helper.rb

@@ -3,6 +3,7 @@
 module MinimalistAuthentication
   module TestHelper
     PASSWORD = "test-password"
+    PASSWORD_DIGEST = BCrypt::Password.create(PASSWORD, cost: BCrypt::Engine::MIN_COST)
 
     def login_as(user_fixture_name, password = PASSWORD)
       post session_path, params: { user: { email: users(user_fixture_name).email, password: } }

data/lib/minimalist_authentication/user.rb

@@ -9,20 +9,16 @@ module MinimalistAuthentication
     GUEST_USER_EMAIL = "guest"
 
     included do
-      # Stores the plain text password.
-      attribute :password, :string
+      has_secure_password validations: false
 
       # Force validations for a blank password.
       attribute :password_required, :boolean, default: false
 
-      # Hashes and stores the password on save.
-      before_save :hash_password
-
       # Email validations
       validates(
         :email,
         format:     { allow_blank: true, with: URI::MailTo::EMAIL_REGEXP },
-        uniqueness: { allow_blank: true, case_sensitive: false, scope: :active },
+        uniqueness: { allow_blank: true, case_sensitive: false },
         if:         :validate_email?
       )
       validates(:email, presence: true, if: :validate_email_presence?)
@@ -35,6 +31,7 @@ module MinimalistAuthentication
         presence:     true,
         if:           :validate_password?
       )
+      validate :password_exclusivity, if: :password?
 
       # Active scope
       scope :active,    ->(state = true)  { where(active: state) }
@@ -53,13 +50,16 @@ module MinimalistAuthentication
       !active?
     end
 
-    # Returns true if password matches the hashed_password, otherwise returns false. Upon successful
-    # authentication the user's password_hash is updated if required.
+    # Returns true if password matches the hashed_password, otherwise returns false.
     def authenticated?(password)
-      return false unless password_object == password
+      authenticate(password)
+    rescue ::BCrypt::Errors::InvalidHash
+      false
+    end
 
-      update_hash!(password) if password_object.stale?
-      true
+    # Check if user is a guest based on their email attribute
+    def guest?
+      email == GUEST_USER_EMAIL
     end
 
     def logged_in
@@ -67,59 +67,45 @@ module MinimalistAuthentication
       update_column(:last_logged_in_at, Time.current)
     end
 
-    # Check if user is a guest based on their email attribute
-    def guest?
-      email == GUEST_USER_EMAIL
-    end
-
     # Minimum password length
     def password_minimum = 12
 
     # Maximum password length
     def password_maximum = 40
 
-    private
-
-    # Set self.password to password, hash, and save if user is valid.
-    def update_hash!(password)
-      self.password = password
-      return unless valid?
-
-      hash_password
-      save
+    # Checks for password presence
+    def password?
+      password.present?
     end
 
-    # Hash password and store in hash_password unless password is blank.
-    def hash_password
-      return if password.blank?
-
-      self.password_hash = Password.create(password)
-    end
+    private
 
-    # Returns a MinimalistAuthentication::Password object.
-    def password_object
-      Password.new(password_hash)
+    # Ensure password does not match username or email.
+    def password_exclusivity
+      %w[username email].each do |field|
+        errors.add(:password, "can not match #{field}") if password.casecmp?(try(field))
+      end
     end
 
     # Require password for active users that either do no have a password hash
     # stored OR are attempting to set a new password. Set **password_required**
     # to true to force validations even when the password field is blank.
     def validate_password?
-      active? && (password_hash.blank? || password? || password_required?)
+      active? && (password_digest.blank? || password? || password_required?)
     end
 
-    # Validate email for active users.
+    # Validate email for all users.
     # Applications can turn off email validation by setting the validate_email
     # configuration attribute to false.
     def validate_email?
-      MinimalistAuthentication.configuration.validate_email && active?
+      MinimalistAuthentication.configuration.validate_email
     end
 
     # Validate email presence for active users.
     # Applications can turn off email presence validation by setting
     # validate_email_presence configuration attribute to false.
     def validate_email_presence?
-      MinimalistAuthentication.configuration.validate_email_presence && validate_email?
+      MinimalistAuthentication.configuration.validate_email_presence && validate_email? && active?
     end
   end
 end

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "2.7.0"
+  VERSION = "3.0.0"
 end

data/lib/minimalist_authentication.rb

@@ -6,9 +6,6 @@ require "minimalist_authentication/configuration"
 require "minimalist_authentication/user"
 require "minimalist_authentication/verifiable_token"
 require "minimalist_authentication/email_verification"
-require "minimalist_authentication/password"
-require "minimalist_authentication/null_password"
 require "minimalist_authentication/controller"
 require "minimalist_authentication/sessions"
 require "minimalist_authentication/test_helper"
-require "minimalist_authentication/conversions/merge_password_hash"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -84,8 +84,6 @@ files:
 - lib/minimalist_authentication/conversions/merge_password_hash.rb
 - lib/minimalist_authentication/email_verification.rb
 - lib/minimalist_authentication/engine.rb
-- lib/minimalist_authentication/null_password.rb
-- lib/minimalist_authentication/password.rb
 - lib/minimalist_authentication/sessions.rb
 - lib/minimalist_authentication/test_helper.rb
 - lib/minimalist_authentication/user.rb

data/lib/minimalist_authentication/null_password.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-module MinimalistAuthentication
-  class NullPassword
-    # does not match any object
-    def ==(_other)
-      false
-    end
-  end
-end

data/lib/minimalist_authentication/password.rb

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-module MinimalistAuthentication
-  class Password
-    class << self
-      # Create a bcrypt password hash with a calibrated cost factor.
-      def create(secret)
-        new ::BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(cost))
-      end
-
-      # Cache the calibrated bcrypt cost factor.
-      def cost
-        @cost ||= calibrate_cost
-      end
-
-      private
-
-      # Calibrates cost so that new user passwords can automatically take
-      # advantage of faster server hardware in the future.
-      # Sets cost to BCrypt::Engine::MIN_COST in the test environment
-      def calibrate_cost
-        ::Rails.env.test? ? ::BCrypt::Engine::MIN_COST : ::BCrypt::Engine.calibrate(750)
-      end
-    end
-
-    attr_accessor :bcrypt_password
-
-    # Returns a password object wrapping a valid BCrypt password or a NullPassword
-    def initialize(password_hash)
-      self.bcrypt_password = ::BCrypt::Password.new(password_hash)
-    rescue ::BCrypt::Errors::InvalidHash
-      self.bcrypt_password = NullPassword.new
-    end
-
-    # Delegate methods to bcrypt_password
-    delegate :==, :to_s, :cost, to: :bcrypt_password
-
-    # Temporary access to checksum and salt for backwards compatibility
-    delegate :checksum, :salt,  to: :bcrypt_password
-
-    # Checks if the password_hash cost factor is less than the current cost.
-    def stale?
-      cost < self.class.cost
-    end
-  end
-end