minimalist_authentication 2.7.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4bb59b8f43fd47739bb2d9751c0c3922100c563a244c24b33760d421c87e25c
-  data.tar.gz: 0cdfcf49e0fb66c595cc1be8f24f8dbab0b8c072158f5571caad2dc47f7d9799
+  metadata.gz: eb8cc19088eea71ab56f803fe72724911988a9dea1eaf2df45ab6eab1127fea9
+  data.tar.gz: 648dad4be8864624cf3bc9158c9cc207fc19da57256c363415c2c4b3cbe6b3ef
 SHA512:
-  metadata.gz: 31b964fc19564faf080f6a93c6a36108baea9748f0305eaaf85b3e5cf37d68024f6a2f0fc71bb350b7dd41c5b8c853a40924f4f33fe69750c04124fcf14e86a1
-  data.tar.gz: 96ad19ef5f1a5b4cee6d99782c5ee52b3033e57bb8db59288876d223098442fd3ab567c355f48c4c030e50095c9b684dbb85a2b0600c172754babf989aa21eb0
+  metadata.gz: fdce2aed67b60fb4adc4d6227523001c52099ea9df6458aa420ce89616467986e05e12362afba71811502d25ab406e2356d2857bc62f640ce7942dc00dc408f4
+  data.tar.gz: a9c0c9ac343602975b60415c0b53c13e50f748e08a63bf37a1ecb6ca64c20eea1e4e6402096c1900b45255cd13ee736a0ef664cce7a25639fccf73486ede9e12

data/README.md

@@ -16,12 +16,12 @@ $ bundle
 
 Create a user model with **email** for an identifier:
 ```bash
-bin/rails generate model user active:boolean email:string password_hash:string last_logged_in_at:datetime
+bin/rails generate model user active:boolean email:string password_digest:string last_logged_in_at:datetime
 ```
 
 OR create a user model with **username** for an identifier:
 ```bash
-bin/rails generate model user active:boolean username:string password_hash:string last_logged_in_at:datetime
+bin/rails generate model user active:boolean username:string password_digest:string last_logged_in_at:datetime
 ```
 
 
@@ -73,18 +73,16 @@ MinimalistAuthentication.configure do |configuration|
   configuration.verify_email              = true                # default is true
   configuration.login_redirect_path       = :custom_path        # default is :root_path
   configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
-  configuration.email_prefix              = '[Custom Prefix]'   # default is application name
 end
 ```
 
 
 ## Fixtures
-Use **MinimalistAuthentication::Password.create** to create a password for
-fixture users.
+Use **MinimalistAuthentication::TestHelper::PASSWORD_DIGEST** to create a password_digest for fixture users.
 ```yaml
 example_user:
-  email:          user@example.com
-  password_hash:  <%= MinimalistAuthentication::Password.create("test-password") %>
+  email:            user@example.com
+  password_digest:  <%= MinimalistAuthentication::TestHelper::PASSWORD_DIGEST %>
 ```
 
 
@@ -124,6 +122,8 @@ bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetim
 
 
 ## Conversions
+
+### Upgrading to Version 2.0
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database
 (crypted_password and salt). The current version of MinimalistAuthentication
@@ -141,10 +141,26 @@ MinimalistAuthentication::Conversions::MergePasswordHash.run!
 When the conversion is complete the **crypted_password**, **salt**, and
 **using_digest_version** fields can safely be removed.
 
+### Upgrading to Version 3.0
+Version 3.0 of MinimalistAuthentication uses the Rails has_secure_password for authentication. This change requires either renaming the **password_hash** column to **password_digest** or adding an alias_attribute to map **password_digest** to **password_hash**.
 
-## Build
-[![Build Status](https://travis-ci.org/wwidea/minimalist_authentication.svg?branch=master)](https://travis-ci.org/wwidea/minimalist_authentication)
+#### Rename the **password_hash** column to **password_digest**
+Add a migration to rename the column in your users table:
+```bash
+bin/rails generate migration rename_users_password_hash_to_password_digest
+```
 
+Update the change method:
+```ruby
+def change
+  rename_column :users, :password_hash, :password_digest
+end
+```
+
+#### Alternatively, add **alias_attribute** to your user model
+```ruby
+alias_attribute :password_digest, :password_hash
+```
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT)..

data/app/controllers/email_verifications_controller.rb

@@ -11,7 +11,7 @@ class EmailVerificationsController < ApplicationController
 
   def create
     current_user.regenerate_verification_token
-    MinimalistAuthenticationMailer.verify_email(current_user).deliver_now
+    MinimalistAuthenticationMailer.with(user: current_user).verify_email.deliver_now
 
     redirect_to dashboard_path, notice: t(".notice", email: current_user.email)
   end

data/app/controllers/password_resets_controller.rb

@@ -14,7 +14,7 @@ class PasswordResetsController < ApplicationController
   def create
     if user
       user.regenerate_verification_token
-      MinimalistAuthenticationMailer.update_password(user).deliver_now
+      MinimalistAuthenticationMailer.with(user:).update_password.deliver_now
     end
     # always display notice even if the user was not found to prevent leaking user emails
     redirect_to new_session_path, notice: "Password reset instructions were mailed to #{email}"

data/app/mailers/minimalist_authentication_mailer.rb

@@ -1,24 +1,20 @@
 # frozen_string_literal: true
 
 class MinimalistAuthenticationMailer < ApplicationMailer
-  def verify_email(user)
-    @verify_email_link = email_verification_url(token: user.verification_token)
-    send_to(user, "Email Address Verification")
+  before_action { @user = params[:user] }
+  after_action :mail_user
+
+  def verify_email
+    @verify_email_link = email_verification_url(token: @user.verification_token)
   end
 
-  def update_password(user)
-    @edit_password_link = edit_user_password_url(user, token: user.verification_token)
-    send_to(user, "Update Password")
+  def update_password
+    @edit_password_link = edit_user_password_url(@user, token: @user.verification_token)
   end
 
   private
 
-  def send_to(user, subject)
-    @user = user
-    mail to: @user.email, subject: prefixed_subject(subject)
-  end
-
-  def prefixed_subject(subject)
-    "#{MinimalistAuthentication.configuration.email_prefix} #{subject}"
+  def mail_user
+    mail(to: @user.email)
   end
 end

data/app/views/passwords/edit.html.erb

@@ -1,5 +1,7 @@
 <h1>Edit Password</h1>
 
+<%= @user.errors.full_messages if @user.errors.any? %>
+
 <%= form_for @user, as: :user, url: user_password_path(@user, token: @token), html: { method: :put } do |form| %>
   <div>
     <%= form.label          :password %>

data/config/locales/minimalist_authentication.en.yml

@@ -19,6 +19,8 @@ en:
   minimalist_authentication_mailer:
     update_password:
       opening: Please click the link below to update your password.
+      subject: Update Password
     verify_email:
-      opening: Please click the link below to complete your email verification.
       closing: If you did not request email verification you can safely ignore this message.
+      opening: Please click the link below to complete your email verification.
+      subject: "Email Address Verification"

data/lib/minimalist_authentication/authenticator.rb

@@ -13,37 +13,44 @@ module MinimalistAuthentication
     # Params examples:
     # { email: 'user@example.com', password: 'abc123' }
     # { username: 'user', password: 'abc123' }
-    # Returns user object upon successful authentication.
-    def self.authenticated_user(params)
+    def self.authenticate(params)
       hash = params.to_h.with_indifferent_access
+      field, value = hash.find { |key, _| LOGIN_FIELDS.include?(key) }
+      new(field:, value:, password: hash["password"]).authenticated_user
+    end
 
-      # Extract login field from hash
-      field = (hash.keys & LOGIN_FIELDS).first
-
-      # Attempt to authenticate user
-      new(field:, value: hash[field], password: hash["password"]).authenticated_user
+    def self.authenticated_user(params)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling MinimalistAuthentication::Authenticator.authenticated_user is deprecated.
+        Use MinimalistAuthentication::Authenticator.authenticate instead.
+      MSG
+      authenticate(params)
     end
 
+    # Initializes a new Authenticator instance with the provided field, value, and password.
     def initialize(field:, value:, password:)
       @field    = field
       @value    = value
       @password = password
     end
 
-    # Returns user upon successful authentication, otherwise returns nil.
+    # Returns an authenticated and enabled user or nil.
     def authenticated_user
-      user if valid? && user&.authenticated?(password)
+      authenticated&.enabled if valid?
+    end
+
+    private
+
+    # Attempts to authenticate a user based on the provided field, value, and password.
+    # Returns user upon successful authentication, otherwise returns nil.
+    def authenticated
+      MinimalistAuthentication.configuration.user_model.authenticate_by(field => value, password:)
     end
 
     # Returns true if all the authentication attributes are present.
+    # Otherwise returns false.
     def valid?
       [field, value, password].all?(&:present?)
     end
-
-    private
-
-    def user
-      @user ||= MinimalistAuthentication.configuration.user_model.active.find_by(field => value)
-    end
   end
 end

data/lib/minimalist_authentication/configuration.rb

@@ -39,7 +39,7 @@ module MinimalistAuthentication
     # Defaults to true
     attr_accessor :request_email
 
-    # Vefify users email address at login.
+    # Verify users email address at login.
     # Defaults to true.
     attr_accessor :verify_email
 
@@ -51,10 +51,6 @@ module MinimalistAuthentication
     # Defaults to :new_session_path
     attr_accessor :logout_redirect_path
 
-    # Email subject prefix for MinimalistAuthenticationMailer messages
-    # Defaults to application name
-    attr_accessor :email_prefix
-
     def initialize
       self.user_model_name          = "::User"
       self.session_key              = :user_id
@@ -64,7 +60,10 @@ module MinimalistAuthentication
       self.verify_email             = true
       self.login_redirect_path      = :root_path
       self.logout_redirect_path     = :new_session_path
-      self.email_prefix             = default_email_prefix
+    end
+
+    def email_prefix=(_)
+      MinimalistAuthentication.deprecator.warn("The #email_prefix configuration setting is no longer supported.")
     end
 
     # Returns the user_model class
@@ -73,11 +72,5 @@ module MinimalistAuthentication
     def user_model
       user_model_name.constantize
     end
-
-    private
-
-    def default_email_prefix
-      "[#{Rails.application.engine_name.delete_suffix('_application').titleize}]"
-    end
   end
 end

data/lib/minimalist_authentication/controller.rb

@@ -19,9 +19,7 @@ module MinimalistAuthentication
     end
 
     def find_session_user
-      return unless session_user_id
-
-      MinimalistAuthentication.configuration.user_model.active.find_by(id: session_user_id)
+      MinimalistAuthentication.configuration.user_model.find_enabled(session_user_id)
     end
 
     def session_user_id
@@ -48,9 +46,5 @@ module MinimalistAuthentication
     def store_location
       session["return_to"] = url_for(request.params.merge(format: :html, only_path: true))
     end
-
-    def redirect_back_or_default(default)
-      redirect_to(session.delete("return_to") || default)
-    end
   end
 end

data/lib/minimalist_authentication/sessions.rb

@@ -5,6 +5,9 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
+      # URL to redirect to after successful login
+      attr_accessor :return_to
+
       skip_before_action  :authorization_required,    only: %i[new create]
       before_action       :redirect_logged_in_users,  only: :new
     end
@@ -23,7 +26,7 @@ module MinimalistAuthentication
     end
 
     def destroy
-      scrub_session!
+      reset_session
       redirect_to logout_redirect_to, notice: t(".notice"), status: :see_other
     end
 
@@ -34,11 +37,12 @@ module MinimalistAuthentication
     end
 
     def authenticated_user
-      @authenticated_user ||= MinimalistAuthentication::Authenticator.authenticated_user(user_params)
+      @authenticated_user ||= MinimalistAuthentication::Authenticator.authenticate(user_params)
     end
 
     def log_in_user
-      scrub_session!
+      self.return_to = session["return_to"]
+      reset_session
       authenticated_user.logged_in
       session[MinimalistAuthentication.configuration.session_key] = authenticated_user.id
     end
@@ -62,7 +66,7 @@ module MinimalistAuthentication
     end
 
     def after_authentication_success
-      redirect_back_or_default(login_redirect_to)
+      redirect_to return_to || login_redirect_to
     end
 
     def attempting_to_verify?
@@ -80,12 +84,6 @@ module MinimalistAuthentication
       user_params.values_at(*MinimalistAuthentication::Authenticator::LOGIN_FIELDS).compact.first
     end
 
-    def scrub_session!
-      (session.keys - %w[session_id return_to]).each do |key|
-        session.delete(key)
-      end
-    end
-
     def login_redirect_to
       send(MinimalistAuthentication.configuration.login_redirect_path)
     end

data/lib/minimalist_authentication/test_helper.rb

@@ -3,6 +3,7 @@
 module MinimalistAuthentication
   module TestHelper
     PASSWORD = "test-password"
+    PASSWORD_DIGEST = BCrypt::Password.create(PASSWORD, cost: BCrypt::Engine::MIN_COST)
 
     def login_as(user_fixture_name, password = PASSWORD)
       post session_path, params: { user: { email: users(user_fixture_name).email, password: } }

data/lib/minimalist_authentication/user.rb

@@ -9,62 +9,79 @@ module MinimalistAuthentication
     GUEST_USER_EMAIL = "guest"
 
     included do
-      # Stores the plain text password.
-      attribute :password, :string
+      has_secure_password
 
       # Force validations for a blank password.
       attribute :password_required, :boolean, default: false
 
-      # Hashes and stores the password on save.
-      before_save :hash_password
-
       # Email validations
       validates(
         :email,
         format:     { allow_blank: true, with: URI::MailTo::EMAIL_REGEXP },
-        uniqueness: { allow_blank: true, case_sensitive: false, scope: :active },
+        uniqueness: { allow_blank: true, case_sensitive: false },
         if:         :validate_email?
       )
       validates(:email, presence: true, if: :validate_email_presence?)
 
       # Password validations
-      validates(
-        :password,
-        confirmation: true,
-        length:       { minimum: :password_minimum, maximum: :password_maximum },
-        presence:     true,
-        if:           :validate_password?
-      )
+      # Adds validations for minimum password length and exclusivity.
+      # has_secure_password adds validations for presence, maximum length, confirmation,
+      # and password_challenge.
+      validates :password, length: { minimum: :password_minimum }, if: :validate_password?
+      validate :password_exclusivity, if: :password?
 
       # Active scope
-      scope :active,    ->(state = true)  { where(active: state) }
-      scope :inactive,  ->                { active(false) }
+      scope :active, ->(state = true) { where(active: state) }
     end
 
     module ClassMethods
+      # Finds a user by their id and returns the user if they are enabled.
+      # Returns nil if the user is not found or not enabled.
+      def find_enabled(id)
+        find_by(id:)&.enabled if id.present?
+      end
+
+      def inactive
+        MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+          Calling #inactive is deprecated. Use #active(false) instead.
+        MSG
+        active(false)
+      end
+
       # Returns a frozen user with the email set to GUEST_USER_EMAIL.
       def guest
         new(email: GUEST_USER_EMAIL).freeze
       end
     end
 
+    # Called after a user is authenticated to determine if the user object should be returned.
+    def enabled
+      self if enabled?
+    end
+
+    # Returns true if the user is enabled.
+    # Override this method in your user model to implement custom logic that determines if a user is eligible to log in.
+    def enabled?
+      active?
+    end
+
+    # Remove the has_secure_password password blank error if password is not required.
+    def errors
+      super.tap { |errors| errors.delete(:password, :blank) unless validate_password? }
+    end
+
     # Returns true if the user is not active.
     def inactive?
+      MinimalistAuthentication.deprecator.warn("Calling #inactive? is deprecated.")
       !active?
     end
 
-    # Returns true if password matches the hashed_password, otherwise returns false. Upon successful
-    # authentication the user's password_hash is updated if required.
+    # Returns true if password matches the hashed_password, otherwise returns false.
     def authenticated?(password)
-      return false unless password_object == password
-
-      update_hash!(password) if password_object.stale?
-      true
-    end
-
-    def logged_in
-      # Use update_column to avoid updated_on trigger
-      update_column(:last_logged_in_at, Time.current)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #authenticated? is deprecated. Use #authenticate instead.
+      MSG
+      authenticate(password)
     end
 
     # Check if user is a guest based on their email attribute
@@ -72,54 +89,47 @@ module MinimalistAuthentication
       email == GUEST_USER_EMAIL
     end
 
+    # Sets #last_logged_in_at to the current time without updating the updated_at timestamp.
+    def logged_in
+      update_column(:last_logged_in_at, Time.current)
+    end
+
     # Minimum password length
     def password_minimum = 12
 
-    # Maximum password length
-    def password_maximum = 40
-
-    private
-
-    # Set self.password to password, hash, and save if user is valid.
-    def update_hash!(password)
-      self.password = password
-      return unless valid?
-
-      hash_password
-      save
+    # Checks for password presence
+    def password?
+      password.present?
     end
 
-    # Hash password and store in hash_password unless password is blank.
-    def hash_password
-      return if password.blank?
-
-      self.password_hash = Password.create(password)
-    end
+    private
 
-    # Returns a MinimalistAuthentication::Password object.
-    def password_object
-      Password.new(password_hash)
+    # Ensure password does not match username or email.
+    def password_exclusivity
+      %w[username email].each do |field|
+        errors.add(:password, "can not match #{field}") if password.casecmp?(try(field))
+      end
     end
 
     # Require password for active users that either do no have a password hash
     # stored OR are attempting to set a new password. Set **password_required**
     # to true to force validations even when the password field is blank.
     def validate_password?
-      active? && (password_hash.blank? || password? || password_required?)
+      active? && (password_digest.blank? || password? || password_required?)
     end
 
-    # Validate email for active users.
+    # Validate email for all users.
     # Applications can turn off email validation by setting the validate_email
     # configuration attribute to false.
     def validate_email?
-      MinimalistAuthentication.configuration.validate_email && active?
+      MinimalistAuthentication.configuration.validate_email
     end
 
     # Validate email presence for active users.
     # Applications can turn off email presence validation by setting
     # validate_email_presence configuration attribute to false.
     def validate_email_presence?
-      MinimalistAuthentication.configuration.validate_email_presence && validate_email?
+      MinimalistAuthentication.configuration.validate_email_presence && validate_email? && active?
     end
   end
 end

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "2.7.0"
+  VERSION = "3.1.0"
 end

data/lib/minimalist_authentication.rb

@@ -6,9 +6,12 @@ require "minimalist_authentication/configuration"
 require "minimalist_authentication/user"
 require "minimalist_authentication/verifiable_token"
 require "minimalist_authentication/email_verification"
-require "minimalist_authentication/password"
-require "minimalist_authentication/null_password"
 require "minimalist_authentication/controller"
 require "minimalist_authentication/sessions"
 require "minimalist_authentication/test_helper"
-require "minimalist_authentication/conversions/merge_password_hash"
+
+module MinimalistAuthentication
+  def self.deprecator
+    @deprecator ||= ActiveSupport::Deprecation.new("4.0", name)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-03 00:00:00.000000000 Z
+date: 2024-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -37,14 +37,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
 description: A Rails authentication plugin that takes a minimalist approach. It is
   designed to be simple to understand, use, and modify for your application.
 email:
@@ -84,8 +84,6 @@ files:
 - lib/minimalist_authentication/conversions/merge_password_hash.rb
 - lib/minimalist_authentication/email_verification.rb
 - lib/minimalist_authentication/engine.rb
-- lib/minimalist_authentication/null_password.rb
-- lib/minimalist_authentication/password.rb
 - lib/minimalist_authentication/sessions.rb
 - lib/minimalist_authentication/test_helper.rb
 - lib/minimalist_authentication/user.rb
@@ -96,7 +94,6 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/wwidea/minimalist_authentication
-  source_code_uri: https://github.com/wwidea/minimalist_authentication
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []

data/lib/minimalist_authentication/null_password.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-module MinimalistAuthentication
-  class NullPassword
-    # does not match any object
-    def ==(_other)
-      false
-    end
-  end
-end

data/lib/minimalist_authentication/password.rb

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-module MinimalistAuthentication
-  class Password
-    class << self
-      # Create a bcrypt password hash with a calibrated cost factor.
-      def create(secret)
-        new ::BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(cost))
-      end
-
-      # Cache the calibrated bcrypt cost factor.
-      def cost
-        @cost ||= calibrate_cost
-      end
-
-      private
-
-      # Calibrates cost so that new user passwords can automatically take
-      # advantage of faster server hardware in the future.
-      # Sets cost to BCrypt::Engine::MIN_COST in the test environment
-      def calibrate_cost
-        ::Rails.env.test? ? ::BCrypt::Engine::MIN_COST : ::BCrypt::Engine.calibrate(750)
-      end
-    end
-
-    attr_accessor :bcrypt_password
-
-    # Returns a password object wrapping a valid BCrypt password or a NullPassword
-    def initialize(password_hash)
-      self.bcrypt_password = ::BCrypt::Password.new(password_hash)
-    rescue ::BCrypt::Errors::InvalidHash
-      self.bcrypt_password = NullPassword.new
-    end
-
-    # Delegate methods to bcrypt_password
-    delegate :==, :to_s, :cost, to: :bcrypt_password
-
-    # Temporary access to checksum and salt for backwards compatibility
-    delegate :checksum, :salt,  to: :bcrypt_password
-
-    # Checks if the password_hash cost factor is less than the current cost.
-    def stale?
-      cost < self.class.cost
-    end
-  end
-end