minimalist_authentication 3.0.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a82f3a3833f400b37555173885d052000dfbd5e4a67da90068384558f8d97705
-  data.tar.gz: 48b819ddbb26a5cb5deaa03c5cd3ef943394e93d6390286d3f30cbae7e5e8477
+  metadata.gz: ba64bc8499dedd0f4fe8dfca813cc0c21e2d32759bd3b3b4dd8aac3c0e77605a
+  data.tar.gz: 566e4b373c274fd7843469d4d225560baf877aabde97658b1aa5a66f3c97f65e
 SHA512:
-  metadata.gz: c867bd7daebdce0f0998e78db4d05ed89bd8d3767d6bb0dc79e362f74ca8e2ac43e930dffb0f396d3d1f4f6b517d26fee00e03e06c32a8afd4b52fb0d03984b7
-  data.tar.gz: de8329fcb5b6bd2d01e9a421818952e6f362d4ff16a3e060d30e5b3afbd4751d56e4c0d37b1a3d80d917baf48dea36b407a2fbfc8f647019fa896529d82bf3a2
+  metadata.gz: 149c5f1eb8a13319ba9d4848a7851107433d96081ed9a1bf01e43cba0366cb1e873aaa47c10eefed29aba9b973bf53076ecefd6d7b6835bb1a9300a4db8813fc
+  data.tar.gz: 51aae04db4c7bcdf4a26009fc1278aa716aea12d95624fe74ffd21fb9d52e0c901ec78d15751df92c2ce2882544a54b80f623e72a53703e1a67b88072662aed9

data/README.md

@@ -1,15 +1,15 @@
 # MinimalistAuthentication
-A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and modify for your application.
+A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and customize for your application.
 
 
 ## Installation
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'minimalist_authentication'
+gem "minimalist_authentication"
 ```
 
-And then execute:
+And then run:
 ```bash
 $ bundle
 ```
@@ -61,19 +61,29 @@ class ActiveSupport::TestCase
 end
 ```
 
+
 ## Configuration
 Customize the configuration with an initializer. Create a **minimalist_authentication.rb** file in config/initializers.
 ```ruby
 MinimalistAuthentication.configure do |configuration|
-  configuration.user_model_name           = 'CustomModelName'   # default is '::User'
+  configuration.login_redirect_path       = :custom_path        # default is :root_path
+  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
+  configuration.request_email             = true                # default is true
   configuration.session_key               = :custom_session_key # default is :user_id
+  configuration.user_model_name           = "CustomModelName"   # default is "::User"
   configuration.validate_email            = true                # default is true
   configuration.validate_email_presence   = true                # default is true
-  configuration.request_email             = true                # default is true
   configuration.verify_email              = true                # default is true
-  configuration.login_redirect_path       = :custom_path        # default is :root_path
-  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
-  configuration.email_prefix              = '[Custom Prefix]'   # default is application name
+end
+```
+
+### Example with a Person Model
+```ruby
+MinimalistAuthentication.configure do |configuration|
+  configuration.login_redirect_path     = :dashboard_path
+  configuration.session_key             = :person_id
+  configuration.user_model_name         = "Person"
+  configuration.validate_email_presence = false
 end
 ```
 
@@ -87,38 +97,44 @@ example_user:
 ```
 
 
-## Verification Tokens
-Verification token support is provided by the **MinimalistAuthentication::VerifiableToken**
-module. Include the module in your user class and add the verification token columns
-to the database.
-
-Include MinimalistAuthentication::VerifiableToken in your user model (app/models/user.rb)
+## Email Verification
+Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
 ```ruby
 class User < ApplicationRecord
   include MinimalistAuthentication::User
-  include MinimalistAuthentication::VerifiableToken
+  include MinimalistAuthentication::EmailVerification
 end
 ```
 
-Add the **verification_token** and **verification_token_generated_at** columns:
-Create a user model with **email** for an identifier:
+Add the **email_verified_at** column to your user model:
 ```bash
-bin/rails generate migration AddVerificationTokenToUsers verification_token:string:uniq verification_token_generated_at:datetime
+bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetime
 ```
 
-### Email Verification
-Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
+
+## Verification Tokens
+Verification token support is provided by the ```ActiveRecord::TokenFor#generate_token_for``` method. MinimalistAuthentication includes token definitions for **password_reset** and **email_verification**. These tokens are utilized by the **update_password** and **verify_email** email messages respectively, to allow users to update their passwords and verify their email addresses.
+
+### Update Password
+The **update_password** token expires in 1 hour and is invalidated when the user's password is changed.
+
+#### Example
 ```ruby
-class User < ApplicationRecord
-  include MinimalistAuthentication::User
-  include MinimalistAuthentication::VerifiableToken
-  include MinimalistAuthentication::EmailVerification
-end
+token = user.generate_token_for(:password_reset)
+User.find_by_token_for(:password_reset, token) # => user
+user.update!(password: "new password")
+User.find_by_token_for(:password_reset, token) # => nil
 ```
 
-Add the **email_verified_at** column to your user model:
-```bash
-bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetime
+### Email Verification
+The **email_verification** token expires in 1 hour and is invalidated when the user's email is changed.
+
+#### Example
+```ruby
+token = user.generate_token_for(:email_verification)
+User.find_by_token_for(:email_verification, token) # => user
+user.update!(email: "new_email@example.com")
+User.find_by_token_for(:email_verification, token) # => nil
 ```
 
 
@@ -127,7 +143,7 @@ bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetim
 ### Upgrading to Version 2.0
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database
-(crypted_password and salt). The current version of MinimalistAuthentication
+(crypted_password and salt). The 2.0 version of MinimalistAuthentication
 uses BCrypt to hash passwords and stores the result in the **password_hash** field.
 
 To convert from a pre 2.0 version add the **password_hash** to your user model
@@ -163,5 +179,9 @@ end
 alias_attribute :password_digest, :password_hash
 ```
 
+### Upgrading to Version 3.2
+The **verification_token** and **verification_token_generated_at** database columns are no longer used and can be safely removed from your user model.
+
+
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT)..

data/app/controllers/email_verifications_controller.rb

@@ -1,18 +1,19 @@
 # frozen_string_literal: true
 
 class EmailVerificationsController < ApplicationController
+  # Verifies the email of the current_user using the provided token
   def show
     current_user.verify_email(params[:token])
   end
 
+  # Form for current_user to request an email verification email
   def new
-    # verify email for current_user
+    # new.html.erb
   end
 
+  # Sends an email verification email to the current_user
   def create
-    current_user.regenerate_verification_token
-    MinimalistAuthenticationMailer.verify_email(current_user).deliver_now
-
+    MinimalistAuthenticationMailer.with(user: current_user).verify_email.deliver_now
     redirect_to dashboard_path, notice: t(".notice", email: current_user.email)
   end
 end

data/app/controllers/emails_controller.rb

@@ -7,7 +7,7 @@ class EmailsController < ApplicationController
     if current_user.update(user_params)
       redirect_to update_redirect_path, notice: t(".notice")
     else
-      render :edit
+      render :edit, status: :unprocessable_entity
     end
   end
 

data/app/controllers/password_resets_controller.rb

@@ -5,30 +5,39 @@ class PasswordResetsController < ApplicationController
 
   layout "sessions"
 
-  # Form for user to request a password reset
+  # Renders form for user to request a password reset
   def new
-    @user = MinimalistAuthentication.configuration.user_model.new
+    # new.html.erb
   end
 
   # Send a password update link to users with a verified email
   def create
-    if user
-      user.regenerate_verification_token
-      MinimalistAuthenticationMailer.update_password(user).deliver_now
+    if email_valid?
+      send_update_password_email if user
+
+      # Always display notice to prevent leaking user emails
+      redirect_to new_session_path, notice: t(".notice", email:)
+    else
+      flash.now.alert = t(".alert")
+      render :new, status: :unprocessable_entity
     end
-    # always display notice even if the user was not found to prevent leaking user emails
-    redirect_to new_session_path, notice: "Password reset instructions were mailed to #{email}"
   end
 
   private
 
-  def user
-    return unless URI::MailTo::EMAIL_REGEXP.match?(email)
+  def email
+    params.dig(:user, :email)
+  end
 
-    @user ||= MinimalistAuthentication.configuration.user_model.active.email_verified.find_by(email:)
+  def send_update_password_email
+    MinimalistAuthenticationMailer.with(user:).update_password.deliver_now
   end
 
-  def email
-    params.dig(:user, :email)
+  def user
+    @user ||= MinimalistAuthentication.user_model.find_by_verified_email(email:)
+  end
+
+  def email_valid?
+    URI::MailTo::EMAIL_REGEXP.match?(email)
   end
 end

data/app/controllers/passwords_controller.rb

@@ -3,34 +3,39 @@
 class PasswordsController < ApplicationController
   skip_before_action :authorization_required
 
+  before_action :validate_token, only: %i[edit update]
+
   layout "sessions"
 
   # From for user to update password
   def edit
-    redirect_to(new_session_path) unless user.matches_verification_token?(token)
-    # render passwords/edit.html.erb
+    # edit.html.erb
   end
 
   # Update user's password
   def update
-    if user.secure_update(token, password_params.merge(password_required: true))
+    if user.update(password_params.merge(password_required: true))
       redirect_to new_session_path, notice: t(".notice")
     else
-      render :edit
+      render :edit, status: :unprocessable_entity
     end
   end
 
   private
 
-  def user
-    @user ||= MinimalistAuthentication.configuration.user_model.find(params[:user_id])
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
   end
 
   def token
     @token ||= params[:token]
   end
 
-  def password_params
-    params.require(:user).permit(:password, :password_confirmation)
+  def user
+    @user ||= MinimalistAuthentication.user_model.active.find_by_token_for(:password_reset, token)
+  end
+
+  def validate_token
+    redirect_to(new_session_path, alert: t(".invalid_token")) unless user
   end
 end

data/app/helpers/minimalist_authentication/application_helper.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module MinimalistAuthentication
+  module ApplicationHelper
+    def ma_confirm_password_field(form, options = {})
+      form.password_field(
+        :password_confirmation,
+        options.reverse_merge(
+          autocomplete: "new-password",
+          minlength:    MinimalistAuthentication.user_model.password_minimum,
+          placeholder:  t(".password_confirmation.placeholder"),
+          required:     true
+        )
+      )
+    end
+
+    def ma_email_field(form, options = {})
+      form.email_field(
+        :email,
+        options.reverse_merge(
+          autocomplete: "email",
+          autofocus:    true,
+          placeholder:  t(".email.placeholder", default: true),
+          required:     true
+        )
+      )
+    end
+
+    def ma_forgot_password_link
+      link_to(t(".forgot_password"), new_password_reset_path)
+    end
+
+    def ma_new_password_field(form, options = {})
+      form.password_field(
+        :password,
+        options.reverse_merge(
+          autocomplete: "new-password",
+          minlength:    MinimalistAuthentication.user_model.password_minimum,
+          placeholder:  t(".password.placeholder"),
+          required:     true
+        )
+      )
+    end
+
+    def ma_password_field(form, options = {})
+      form.password_field(
+        :password,
+        options.reverse_merge(
+          autocomplete: "current-password",
+          placeholder:  true,
+          required:     true
+        )
+      )
+    end
+
+    def ma_username_field(form, options = {})
+      form.text_field(
+        :username,
+        options.reverse_merge(
+          autocomplete: "username",
+          autofocus:    true,
+          placeholder:  true,
+          required:     true
+        )
+      )
+    end
+  end
+end

data/app/mailers/minimalist_authentication_mailer.rb

@@ -1,24 +1,20 @@
 # frozen_string_literal: true
 
 class MinimalistAuthenticationMailer < ApplicationMailer
-  def verify_email(user)
-    @verify_email_link = email_verification_url(token: user.verification_token)
-    send_to(user, "Email Address Verification")
+  before_action { @user = params[:user] }
+  after_action :mail_user
+
+  def verify_email
+    @verify_email_url = email_verification_url(token: @user.generate_token_for(:email_verification))
   end
 
-  def update_password(user)
-    @edit_password_link = edit_user_password_url(user, token: user.verification_token)
-    send_to(user, "Update Password")
+  def update_password
+    @edit_password_url = edit_password_url(token: @user.generate_token_for(:password_reset))
   end
 
   private
 
-  def send_to(user, subject)
-    @user = user
-    mail to: @user.email, subject: prefixed_subject(subject)
-  end
-
-  def prefixed_subject(subject)
-    "#{MinimalistAuthentication.configuration.email_prefix} #{subject}"
+  def mail_user
+    mail(to: @user.email)
   end
 end

data/app/views/email_verifications/show.html.erb

@@ -7,4 +7,4 @@
 <% end %>
 <h2><%= current_user.email %></h2>
 
-<%= link_to('Go to Dashboard', dashboard_path) %>
+<%= link_to("Go to Dashboard", dashboard_path) %>

data/app/views/emails/edit.html.erb

@@ -2,11 +2,11 @@
 
 <h2>Please update your email address</h2>
 
-<%= form_for(current_user, as: :user, url: email_path) do |form| %>
+<%= form_with(model: current_user, url: email_path) do |form| %>
   <%= form.text_field :email %>
-  <%= form.submit 'Update' %>
+  <%= form.submit "Update" %>
 <% end %>
 
 <p>Providing your email will allow you to receive confidential messages and reset your password.</p>
 
-<%= link_to('Skip Email Update', dashboard_path) %>
+<%= link_to("Skip Email Update", dashboard_path) %>

data/app/views/minimalist_authentication_mailer/update_password.html.erb

@@ -1,3 +1,5 @@
 <p><%= t('.opening') %></p>
 
-<%= link_to @edit_password_link, @edit_password_link %>
+<p>
+  <%= link_to("Update Password", @edit_password_url, rel: "noopener noreferrer", target: "_blank") %>
+</p>

data/app/views/minimalist_authentication_mailer/update_password.text.erb

@@ -1,3 +1,3 @@
-<%= t('.opening') %>
+<%= t(".opening") %>
 
-<%= @edit_password_link %>
+<%= @edit_password_url %>

data/app/views/minimalist_authentication_mailer/verify_email.html.erb

@@ -1,5 +1,11 @@
-<p><%= t('.opening') %></p>
+<p>
+  <%= t(".opening") %>
+</p>
 
-<%= link_to @verify_email_link, @verify_email_link %>
+<p>
+  <%= link_to("Verify Email Address", @verify_email_url, rel: "noopener noreferrer", target: "_blank") %>
+</p>
 
-<p><%= t('.closing') %></p>
+<p>
+  <%= t(".closing") %>
+</p>

data/app/views/minimalist_authentication_mailer/verify_email.text.erb

@@ -1,5 +1,5 @@
-<%= t('.opening') %>
+<%= t(".opening") %>
 
-<%= @verify_email_link %>
+<%= @verify_email_url %>
 
-<%= t('.closing') %>
+<%= t(".closing") %>

data/app/views/password_resets/new.html.erb

@@ -1,13 +1,12 @@
-<h1>Request Password Reset</h1>
+<h1><%= t(".title") %></h1>
 
 <p>
-  Enter your email address we'll send you a link to reset your password.
+  <%= t(".instructions") %>
 </p>
 
-<%= form_for @user, as: :user, url: password_reset_path do |form| %>
+<%= form_with scope: :user, url: password_reset_path do |form| %>
   <div>
-    <%= form.label      :email %>
-    <%= form.text_field :email %>
+    <%= ma_email_field(form) %>
   </div>
-  <%= form.submit 'Reset Password' %>
+  <%= form.submit t(".submit") %>
 <% end %>

data/app/views/passwords/edit.html.erb

@@ -1,15 +1,17 @@
-<h1>Edit Password</h1>
+<h1><%= t(".title") %></h1>
+
+<p><%= t(".instructions") %></p>
 
 <%= @user.errors.full_messages if @user.errors.any? %>
 
-<%= form_for @user, as: :user, url: user_password_path(@user, token: @token), html: { method: :put } do |form| %>
+<%= form_with model: @user, url: password_path(token: @token) do |form| %>
   <div>
-    <%= form.label          :password %>
-    <%= form.password_field :password %>
+    <%= form.label :password %>
+    <%= ma_new_password_field(form) %>
   </div>
   <div>
-    <%= form.label          :password_confirmation %>
-    <%= form.password_field :password_confirmation %>
+    <%= form.label :password_confirmation %>
+    <%= ma_confirm_password_field(form) %>
   </div>
-  <%= form.submit 'Update Password' %>
+  <%= form.submit t(".submit") %>
 <% end %>

data/app/views/sessions/_form.html.erb

@@ -1,11 +1,11 @@
-<%= form_for @user, url: session_path do |form| %>
+<%= form_with model: @user, url: session_path do |form| %>
   <div>
-    <%= form.label          :email %>
-    <%= form.text_field     :email %>
+    <%= form.label :email %>
+    <%= ma_email_field(form) %>
   </div>
-  <div>
-    <%= form.label          :password %>
-    <%= form.password_field :password %>
+  <div style="margin-top: 8px;">
+    <%= form.label :password %>
+    <%= ma_password_field(form) %>
   </div>
-  <%= form.submit         'Log in' %>
+  <%= form.submit t("sessions.new.submit") %>
 <% end %>

data/app/views/sessions/new.html.erb

@@ -1,3 +1,3 @@
-<h1>Login</h1>
-<%= render partial: 'form' %>
-<%= link_to 'I forgot', new_password_reset_path %>
+<h1><%= t(".title") %></h1>
+<%= render partial: "form" %>
+<%= ma_forgot_password_link %>

data/config/locales/minimalist_authentication.en.yml

@@ -1,12 +1,38 @@
 en:
-  # controllers
   email_verifications:
     create:
       notice: Verification email sent to %{email}, follow the instructions to complete verification. Thank you!
   emails:
     update:
       notice: Email successfully updated
+  minimalist_authentication_mailer:
+    update_password:
+      opening: Please click the link below to update your password.
+      subject: Update Password
+    verify_email:
+      closing: If you did not request email verification you can safely ignore this message.
+      opening: Please click the link below to complete your email verification.
+      subject: Email Address Verification
+  password_resets:
+    new:
+      email:
+        placeholder: Enter your email address
+      instructions: Enter your verified email address, and we'll send you a link to reset your password.
+      submit: Send Reset Link
+      title: Reset Your Password
+    create:
+      alert: Please provide a valid email address.
+      notice: We've sent password reset instructions to %{email}. If you don't receive the email within a few minutes, please check your spam folder.
   passwords:
+    edit:
+      instructions: Please enter your new password.
+      password:
+        placeholder: New password
+      password_confirmation:
+        placeholder: Confirm password
+      submit: Reset Password
+      title: Reset Password
+    invalid_token: Your password reset link has expired. Please request a new one to continue.
     update:
       notice: Password successfully updated
   sessions:
@@ -14,11 +40,7 @@ en:
       alert: Couldn't log you in as %{identifier}
     destroy:
       notice: You have been logged out.
-
-  # mailers
-  minimalist_authentication_mailer:
-    update_password:
-      opening: Please click the link below to update your password.
-    verify_email:
-      opening: Please click the link below to complete your email verification.
-      closing: If you did not request email verification you can safely ignore this message.
+    new:
+      forgot_password: Forgot password?
+      title: Sign In
+      submit: Sign In

data/config/routes.rb

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  resources :user, only: [] do
-    resource :password, only: %i[edit update]
-  end
-
-  resource :password_reset,     only: %i[new create]
-
+  resource :email_verification, only: %i[show new create]
   resource :email,              only: %i[edit update]
-  resource :email_verification, only: %i[new create show]
+  resource :password_reset,     only: %i[new create]
+  resource :password,           only: %i[edit update]
 end

data/lib/minimalist_authentication/authenticator.rb

@@ -13,37 +13,44 @@ module MinimalistAuthentication
     # Params examples:
     # { email: 'user@example.com', password: 'abc123' }
     # { username: 'user', password: 'abc123' }
-    # Returns user object upon successful authentication.
-    def self.authenticated_user(params)
+    def self.authenticate(params)
       hash = params.to_h.with_indifferent_access
+      field, value = hash.find { |key, _| LOGIN_FIELDS.include?(key) }
+      new(field:, value:, password: hash["password"]).authenticated_user
+    end
 
-      # Extract login field from hash
-      field = (hash.keys & LOGIN_FIELDS).first
-
-      # Attempt to authenticate user
-      new(field:, value: hash[field], password: hash["password"]).authenticated_user
+    def self.authenticated_user(params)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling MinimalistAuthentication::Authenticator.authenticated_user is deprecated.
+        Use MinimalistAuthentication::Authenticator.authenticate instead.
+      MSG
+      authenticate(params)
     end
 
+    # Initializes a new Authenticator instance with the provided field, value, and password.
     def initialize(field:, value:, password:)
       @field    = field
       @value    = value
       @password = password
     end
 
-    # Returns user upon successful authentication, otherwise returns nil.
+    # Returns an authenticated and enabled user or nil.
     def authenticated_user
-      user if valid? && user&.authenticated?(password)
+      authenticated&.enabled if valid?
+    end
+
+    private
+
+    # Attempts to authenticate a user based on the provided field, value, and password.
+    # Returns user upon successful authentication, otherwise returns nil.
+    def authenticated
+      MinimalistAuthentication.configuration.user_model.authenticate_by(field => value, password:)
     end
 
     # Returns true if all the authentication attributes are present.
+    # Otherwise returns false.
     def valid?
       [field, value, password].all?(&:present?)
     end
-
-    private
-
-    def user
-      @user ||= MinimalistAuthentication.configuration.user_model.active.find_by(field => value)
-    end
   end
 end

data/lib/minimalist_authentication/configuration.rb

@@ -51,10 +51,6 @@ module MinimalistAuthentication
     # Defaults to :new_session_path
     attr_accessor :logout_redirect_path
 
-    # Email subject prefix for MinimalistAuthenticationMailer messages
-    # Defaults to application name
-    attr_accessor :email_prefix
-
     def initialize
       self.user_model_name          = "::User"
       self.session_key              = :user_id
@@ -64,20 +60,21 @@ module MinimalistAuthentication
       self.verify_email             = true
       self.login_redirect_path      = :root_path
       self.logout_redirect_path     = :new_session_path
-      self.email_prefix             = default_email_prefix
     end
 
-    # Returns the user_model class
-    # Calling constantize on a string makes this work correctly with
-    # the Spring application preloader gem.
-    def user_model
-      user_model_name.constantize
+    # Clear the user_model class
+    def clear_user_model
+      @user_model = nil
     end
 
-    private
+    # Display deprecation warning for email_prefix
+    def email_prefix=(_)
+      MinimalistAuthentication.deprecator.warn("The #email_prefix configuration setting is no longer supported.")
+    end
 
-    def default_email_prefix
-      "[#{Rails.application.engine_name.delete_suffix('_application').titleize}]"
+    # Returns the user_model class
+    def user_model
+      @user_model ||= user_model_name.constantize
     end
   end
 end

data/lib/minimalist_authentication/controller.rb

@@ -9,6 +9,8 @@ module MinimalistAuthentication
       # use skip_before_action to open up specific actions
       before_action :authorization_required
 
+      helper MinimalistAuthentication::ApplicationHelper
+
       helper_method :current_user, :logged_in?, :authorized?
     end
 
@@ -19,9 +21,7 @@ module MinimalistAuthentication
     end
 
     def find_session_user
-      return unless session_user_id
-
-      MinimalistAuthentication.configuration.user_model.active.find_by(id: session_user_id)
+      MinimalistAuthentication.configuration.user_model.find_enabled(session_user_id)
     end
 
     def session_user_id

data/lib/minimalist_authentication/email_verification.rb

@@ -5,9 +5,31 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
-      before_save :clear_email_verification, if: ->(user) { user.email_changed? }
+      generates_token_for :email_verification, expires_in: 1.hour do
+        email
+      end
 
-      scope :email_verified, -> { where("LENGTH(email) > 2").where.not(email_verified_at: nil) }
+      before_save :clear_email_verification, if: :email_changed?
+
+      scope :with_verified_email, -> { where.not(email_verified_at: nil) }
+    end
+
+    module ClassMethods
+      def email_verified
+        MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+          Calling #email_verified is deprecated.
+          Call #with_verified_email instead.
+        MSG
+        with_verified_email
+      end
+
+      def find_by_verified_email(email:)
+        active.with_verified_email.find_by(email:)
+      end
+    end
+
+    def email_verified?
+      email.present? && email_verified_at.present?
     end
 
     def needs_email_set?
@@ -18,26 +40,22 @@ module MinimalistAuthentication
       email_verification_enabled? && email.present? && email_verified_at.blank?
     end
 
-    def email_verified?
-      email.present? && email_verified_at.present?
-    end
-
     def verify_email(token)
-      secure_update(token, email_verified_at: Time.zone.now)
+      touch(:email_verified_at) if token_owner?(:email_verification, token)
     end
 
     private
 
-    def request_email_enabled?
-      MinimalistAuthentication.configuration.request_email
+    def clear_email_verification
+      self.email_verified_at = nil
     end
 
     def email_verification_enabled?
       MinimalistAuthentication.configuration.verify_email
     end
 
-    def clear_email_verification
-      self.email_verified_at = nil
+    def request_email_enabled?
+      MinimalistAuthentication.configuration.request_email
     end
   end
 end

data/lib/minimalist_authentication/engine.rb

@@ -2,5 +2,10 @@
 
 module MinimalistAuthentication
   class Engine < ::Rails::Engine
+    isolate_namespace MinimalistAuthentication
+
+    config.to_prepare do
+      MinimalistAuthentication.configuration.clear_user_model
+    end
   end
 end

data/lib/minimalist_authentication/sessions.rb

@@ -37,7 +37,7 @@ module MinimalistAuthentication
     end
 
     def authenticated_user
-      @authenticated_user ||= MinimalistAuthentication::Authenticator.authenticated_user(user_params)
+      @authenticated_user ||= MinimalistAuthentication::Authenticator.authenticate(user_params)
     end
 
     def log_in_user

data/lib/minimalist_authentication/user.rb

@@ -9,7 +9,11 @@ module MinimalistAuthentication
     GUEST_USER_EMAIL = "guest"
 
     included do
-      has_secure_password validations: false
+      has_secure_password
+
+      generates_token_for :password_reset, expires_in: 1.hour do
+        password_salt.last(10)
+      end
 
       # Force validations for a blank password.
       attribute :password_required, :boolean, default: false
@@ -24,37 +28,69 @@ module MinimalistAuthentication
       validates(:email, presence: true, if: :validate_email_presence?)
 
       # Password validations
-      validates(
-        :password,
-        confirmation: true,
-        length:       { minimum: :password_minimum, maximum: :password_maximum },
-        presence:     true,
-        if:           :validate_password?
-      )
+      # Adds validations for minimum password length and exclusivity.
+      # has_secure_password adds validations for presence, maximum length, confirmation,
+      # and password_challenge.
+      validates :password, length: { minimum: :password_minimum }, if: :validate_password?
       validate :password_exclusivity, if: :password?
 
       # Active scope
-      scope :active,    ->(state = true)  { where(active: state) }
-      scope :inactive,  ->                { active(false) }
+      scope :active, ->(state = true) { where(active: state) }
+
+      delegate :password_minimum, to: :class
     end
 
     module ClassMethods
+      # Finds a user by their id and returns the user if they are enabled.
+      # Returns nil if the user is not found or not enabled.
+      def find_enabled(id)
+        find_by(id:)&.enabled if id.present?
+      end
+
+      def inactive
+        MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+          Calling #inactive is deprecated. Use #active(false) instead.
+        MSG
+        active(false)
+      end
+
       # Returns a frozen user with the email set to GUEST_USER_EMAIL.
       def guest
         new(email: GUEST_USER_EMAIL).freeze
       end
+
+      # Minimum password length
+      def password_minimum = 12
+    end
+
+    # Called after a user is authenticated to determine if the user object should be returned.
+    def enabled
+      self if enabled?
+    end
+
+    # Returns true if the user is enabled.
+    # Override this method in your user model to implement custom logic that determines if a user is eligible to log in.
+    def enabled?
+      active?
+    end
+
+    # Remove the has_secure_password password blank error if password is not required.
+    def errors
+      super.tap { |errors| errors.delete(:password, :blank) unless validate_password? }
     end
 
     # Returns true if the user is not active.
     def inactive?
+      MinimalistAuthentication.deprecator.warn("Calling #inactive? is deprecated.")
       !active?
     end
 
     # Returns true if password matches the hashed_password, otherwise returns false.
     def authenticated?(password)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #authenticated? is deprecated. Use #authenticate instead.
+      MSG
       authenticate(password)
-    rescue ::BCrypt::Errors::InvalidHash
-      false
     end
 
     # Check if user is a guest based on their email attribute
@@ -62,17 +98,11 @@ module MinimalistAuthentication
       email == GUEST_USER_EMAIL
     end
 
+    # Sets #last_logged_in_at to the current time without updating the updated_at timestamp.
     def logged_in
-      # Use update_column to avoid updated_on trigger
       update_column(:last_logged_in_at, Time.current)
     end
 
-    # Minimum password length
-    def password_minimum = 12
-
-    # Maximum password length
-    def password_maximum = 40
-
     # Checks for password presence
     def password?
       password.present?
@@ -87,6 +117,11 @@ module MinimalistAuthentication
       end
     end
 
+    # Return true if the user matches the owner of the provided token.
+    def token_owner?(purpose, token)
+      self.class.find_by_token_for(purpose, token) == self
+    end
+
     # Require password for active users that either do no have a password hash
     # stored OR are attempting to set a new password. Set **password_required**
     # to true to force validations even when the password field is blank.

data/lib/minimalist_authentication/verifiable_token.rb

@@ -4,51 +4,33 @@ module MinimalistAuthentication
   module VerifiableToken
     extend ActiveSupport::Concern
 
-    TOKEN_EXPIRATION_HOURS = 6
-
-    # generate secure verification_token and record generation time
-    def regenerate_verification_token
-      update_token
-    end
-
-    def secure_update(token, attributes)
-      if matches_verification_token?(token)
-        update(attributes) && clear_token
-      else
-        errors.add(:base, "Verification token check failed")
-        false
-      end
+    included do
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        MinimalistAuthentication::VerifiableToken is no longer required.
+        You can safely remove the include from your user model.
+      MSG
     end
 
-    def matches_verification_token?(token)
-      token.present? && verification_token_valid? && secure_match?(token)
+    def matches_verification_token?(_token)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #matches_verification_token? is deprecated.
+      MSG
     end
 
-    def verification_token_valid?
-      return false if verification_token.blank? || verification_token_generated_at.blank?
-
-      verification_token_generated_at > TOKEN_EXPIRATION_HOURS.hours.ago
-    end
-
-    private
-
-    def clear_token
-      update_token(token: nil, time: nil)
-    end
-
-    def update_token(token: self.class.generate_unique_secure_token, time: Time.now.utc)
-      update!(
-        verification_token:              token,
-        verification_token_generated_at: time
-      )
+    def regenerate_verification_token
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #regenerate_verification_token is deprecated and no longer generates tokens.
+        Call #generate_token_for with an argument of :password_reset or
+        :email_verification instead.
+      MSG
     end
 
-    # Compare the tokens in a time-constant manner, to mitigate timing attacks.
-    def secure_match?(token)
-      ActiveSupport::SecurityUtils.secure_compare(
-        ::Digest::SHA256.hexdigest(token),
-        ::Digest::SHA256.hexdigest(verification_token)
-      )
+    def verification_token
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #verification_token is deprecated and no longer returns a valid token.
+        Call #generate_token_for with an argument of :password_reset or
+        :email_verification instead.
+      MSG
     end
   end
 end

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "3.0.0"
+  VERSION = "3.2.0"
 end

data/lib/minimalist_authentication.rb

@@ -9,3 +9,13 @@ require "minimalist_authentication/email_verification"
 require "minimalist_authentication/controller"
 require "minimalist_authentication/sessions"
 require "minimalist_authentication/test_helper"
+
+module MinimalistAuthentication
+  class << self
+    delegate :user_model, to: :configuration
+
+    def deprecator
+      @deprecator ||= ActiveSupport::Deprecation.new("4.0", name)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-03 00:00:00.000000000 Z
+date: 2024-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -37,14 +37,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
 description: A Rails authentication plugin that takes a minimalist approach. It is
   designed to be simple to understand, use, and modify for your application.
 email:
@@ -60,6 +60,7 @@ files:
 - app/controllers/emails_controller.rb
 - app/controllers/password_resets_controller.rb
 - app/controllers/passwords_controller.rb
+- app/helpers/minimalist_authentication/application_helper.rb
 - app/mailers/application_mailer.rb
 - app/mailers/minimalist_authentication_mailer.rb
 - app/views/email_verifications/new.html.erb
@@ -94,7 +95,6 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/wwidea/minimalist_authentication
-  source_code_uri: https://github.com/wwidea/minimalist_authentication
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []