minimalist_authentication 3.2.0 → 3.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba64bc8499dedd0f4fe8dfca813cc0c21e2d32759bd3b3b4dd8aac3c0e77605a
-  data.tar.gz: 566e4b373c274fd7843469d4d225560baf877aabde97658b1aa5a66f3c97f65e
+  metadata.gz: c1755b9e403888ec8c63f8e41fd9a1286a45a983a7860e2e929bae4b8f2743cf
+  data.tar.gz: b8463c45d6240b16fff848d553050c14c8d3c3ddc3a2d6520e67860a1b59bf5d
 SHA512:
-  metadata.gz: 149c5f1eb8a13319ba9d4848a7851107433d96081ed9a1bf01e43cba0366cb1e873aaa47c10eefed29aba9b973bf53076ecefd6d7b6835bb1a9300a4db8813fc
-  data.tar.gz: 51aae04db4c7bcdf4a26009fc1278aa716aea12d95624fe74ffd21fb9d52e0c901ec78d15751df92c2ce2882544a54b80f623e72a53703e1a67b88072662aed9
+  metadata.gz: 6cffe51b8c6d48b71241e390fa79c46ec45fba7ee4cca744c079f6f6db0be88f5311424f0f615d183b6aec9bb685e25a5c2135360bec5e19d35cc23374dda27a
+  data.tar.gz: 10a06e82b2fdb2a22f59842221959408b49b43d7df801560d741179884beb192bde9c6d78e7972ecf30b2ee5f8ea603235d2f561c8913d2646ffc1e0fc0a3355

data/README.md

@@ -26,6 +26,13 @@ bin/rails generate model user active:boolean username:string password_digest:str
 
 
 ## Example
+Create a Current class that inherits from ActiveSupport::CurrentAttributes with a user attribute (app/models/current.rb)
+```ruby
+class Current < ActiveSupport::CurrentAttributes
+  attribute :user
+end
+```
+
 Include MinimalistAuthentication::User in your user model (app/models/user.rb)
 ```ruby
 class User < ApplicationRecord

data/app/controllers/passwords_controller.rb

@@ -14,7 +14,7 @@ class PasswordsController < ApplicationController
 
   # Update user's password
   def update
-    if user.update(password_params.merge(password_required: true))
+    if user.update(password_params)
       redirect_to new_session_path, notice: t(".notice")
     else
       render :edit, status: :unprocessable_entity

data/app/validators/password_exclusivity_validator.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class PasswordExclusivityValidator < ActiveModel::EachValidator
+  # Ensure password does not match username or email.
+  def validate_each(record, attribute, value)
+    %w[username email].each do |field|
+      record.errors.add(attribute, "can not match #{field}") if value.casecmp?(record.try(field))
+    end
+  end
+end

data/lib/minimalist_authentication/controller.rb

@@ -5,8 +5,11 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
-      # Lock down everything by default
-      # use skip_before_action to open up specific actions
+      # Loads the user object from the session and assigns it to Current.user
+      before_action :load_current_user
+
+      # Requires an authorized user for all actions
+      # Use skip_before_action to allow access to specific actions
       before_action :authorization_required
 
       helper MinimalistAuthentication::ApplicationHelper
@@ -14,35 +17,47 @@ module MinimalistAuthentication
       helper_method :current_user, :logged_in?, :authorized?
     end
 
-    private
+    # Returns true if the user is logged in
+    # Override this method in your controller to customize authorization
+    def authorized?(_action = action_name, _resource = controller_name)
+      logged_in?
+    end
 
+    # Returns the current user from the client application Current class
     def current_user
-      @current_user ||= find_session_user || MinimalistAuthentication.configuration.user_model.guest
+      ::Current.user
     end
 
-    def find_session_user
-      MinimalistAuthentication.configuration.user_model.find_enabled(session_user_id)
+    # Returns true if a current user is present, otherwise returns false
+    def logged_in?
+      current_user.present?
     end
 
-    def session_user_id
-      session[MinimalistAuthentication.configuration.session_key]
+    # Logs in a user by setting the session key and updating the Current user
+    # Should only be called after a successful authentication
+    def update_current_user(user)
+      reset_session
+      session[MinimalistAuthentication.session_key] = user.id
+      ::Current.user = user
     end
 
-    def authorization_required
-      authorized? || access_denied
+    private
+
+    def access_denied
+      store_location if request.get? && !logged_in?
+      redirect_to new_session_path
     end
 
-    def authorized?(_action = action_name, _resource = controller_name)
-      logged_in?
+    def authorization_required
+      authorized? || access_denied
     end
 
-    def logged_in?
-      !current_user.guest?
+    def find_session_user
+      MinimalistAuthentication.user_model.find_enabled(session[MinimalistAuthentication.session_key])
     end
 
-    def access_denied
-      store_location if request.get? && !logged_in?
-      redirect_to new_session_path
+    def load_current_user
+      Current.user = find_session_user
     end
 
     def store_location

data/lib/minimalist_authentication/sessions.rb

@@ -42,9 +42,8 @@ module MinimalistAuthentication
 
     def log_in_user
       self.return_to = session["return_to"]
-      reset_session
+      update_current_user(authenticated_user)
       authenticated_user.logged_in
-      session[MinimalistAuthentication.configuration.session_key] = authenticated_user.id
     end
 
     def user_params

data/lib/minimalist_authentication/test_helper.rb

@@ -5,22 +5,22 @@ module MinimalistAuthentication
     PASSWORD = "test-password"
     PASSWORD_DIGEST = BCrypt::Password.create(PASSWORD, cost: BCrypt::Engine::MIN_COST)
 
-    def login_as(user_fixture_name, password = PASSWORD)
-      post session_path, params: { user: { email: users(user_fixture_name).email, password: } }
-    end
-
     def current_user
       @current_user ||= load_user_from_session
     end
 
+    def login_as(user_fixture_name, password = PASSWORD)
+      post session_path, params: { user: { email: users(user_fixture_name).email, password: } }
+    end
+
     private
 
     def load_user_from_session
-      MinimalistAuthentication.configuration.user_model.find(session_user_id) if session_user_id
+      MinimalistAuthentication.user_model.find(session_user_id) if session_user_id
     end
 
     def session_user_id
-      @request.session[MinimalistAuthentication.configuration.session_key]
+      @request.session[MinimalistAuthentication.session_key]
     end
   end
 end

data/lib/minimalist_authentication/user.rb

@@ -6,8 +6,6 @@ module MinimalistAuthentication
   module User
     extend ActiveSupport::Concern
 
-    GUEST_USER_EMAIL = "guest"
-
     included do
       has_secure_password
 
@@ -15,9 +13,6 @@ module MinimalistAuthentication
         password_salt.last(10)
       end
 
-      # Force validations for a blank password.
-      attribute :password_required, :boolean, default: false
-
       # Email validations
       validates(
         :email,
@@ -29,10 +24,13 @@ module MinimalistAuthentication
 
       # Password validations
       # Adds validations for minimum password length and exclusivity.
-      # has_secure_password adds validations for presence, maximum length, confirmation,
-      # and password_challenge.
-      validates :password, length: { minimum: :password_minimum }, if: :validate_password?
-      validate :password_exclusivity, if: :password?
+      # has_secure_password includes validations for presence, maximum length, confirmation, and password_challenge.
+      validates(
+        :password,
+        password_exclusivity: true,
+        length:               { minimum: :password_minimum },
+        allow_blank:          true
+      )
 
       # Active scope
       scope :active, ->(state = true) { where(active: state) }
@@ -54,11 +52,6 @@ module MinimalistAuthentication
         active(false)
       end
 
-      # Returns a frozen user with the email set to GUEST_USER_EMAIL.
-      def guest
-        new(email: GUEST_USER_EMAIL).freeze
-      end
-
       # Minimum password length
       def password_minimum = 12
     end
@@ -74,15 +67,9 @@ module MinimalistAuthentication
       active?
     end
 
-    # Remove the has_secure_password password blank error if password is not required.
+    # Remove the has_secure_password password blank error if user is inactive.
     def errors
-      super.tap { |errors| errors.delete(:password, :blank) unless validate_password? }
-    end
-
-    # Returns true if the user is not active.
-    def inactive?
-      MinimalistAuthentication.deprecator.warn("Calling #inactive? is deprecated.")
-      !active?
+      super.tap { |errors| errors.delete(:password, :blank) if inactive? }
     end
 
     # Returns true if password matches the hashed_password, otherwise returns false.
@@ -93,9 +80,19 @@ module MinimalistAuthentication
       authenticate(password)
     end
 
-    # Check if user is a guest based on their email attribute
+    # Deprecated method to check if the user is a guest. Returns false because the guest user has been removed.
     def guest?
-      email == GUEST_USER_EMAIL
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #guest? is deprecated. Use #MinimalistAuthentication::Controller#logged_in? to
+        check for the presence of a current_user instead.
+      MSG
+
+      false
+    end
+
+    # Returns true if the user is not active.
+    def inactive?
+      !active?
     end
 
     # Sets #last_logged_in_at to the current time without updating the updated_at timestamp.
@@ -103,32 +100,13 @@ module MinimalistAuthentication
       update_column(:last_logged_in_at, Time.current)
     end
 
-    # Checks for password presence
-    def password?
-      password.present?
-    end
-
     private
 
-    # Ensure password does not match username or email.
-    def password_exclusivity
-      %w[username email].each do |field|
-        errors.add(:password, "can not match #{field}") if password.casecmp?(try(field))
-      end
-    end
-
     # Return true if the user matches the owner of the provided token.
     def token_owner?(purpose, token)
       self.class.find_by_token_for(purpose, token) == self
     end
 
-    # Require password for active users that either do no have a password hash
-    # stored OR are attempting to set a new password. Set **password_required**
-    # to true to force validations even when the password field is blank.
-    def validate_password?
-      active? && (password_digest.blank? || password? || password_required?)
-    end
-
     # Validate email for all users.
     # Applications can turn off email validation by setting the validate_email
     # configuration attribute to false.

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "3.2.0"
+  VERSION = "3.2.2"
 end

data/lib/minimalist_authentication.rb

@@ -12,7 +12,7 @@ require "minimalist_authentication/test_helper"
 
 module MinimalistAuthentication
   class << self
-    delegate :user_model, to: :configuration
+    delegate :session_key, :user_model, to: :configuration
 
     def deprecator
       @deprecator ||= ActiveSupport::Deprecation.new("4.0", name)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.2
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 2024-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -63,6 +63,7 @@ files:
 - app/helpers/minimalist_authentication/application_helper.rb
 - app/mailers/application_mailer.rb
 - app/mailers/minimalist_authentication_mailer.rb
+- app/validators/password_exclusivity_validator.rb
 - app/views/email_verifications/new.html.erb
 - app/views/email_verifications/show.html.erb
 - app/views/emails/edit.html.erb