minimalist_authentication 3.2.4 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0e7fbd42fef46be26f68d4df9257963d7f694405da2f863fa0a34d04d4c390d
-  data.tar.gz: d10c06d41126ff04dc4e09fa3ebfa80c3aa29a479b1893c3c0a8ed583b204da3
+  metadata.gz: 30a0e5b2c5f11655889d24977dc758a7742a83621143a0a217838277d115325d
+  data.tar.gz: 86833ecb6f4e387fa385f3f5de89f0b17073ee291f706626a543c3858879d90b
 SHA512:
-  metadata.gz: aea05763f08f292f4464b94ff5c594523203c0d191a8b8ca3e9e3a315873290666c8314c5603f648d05535ddbecd2ef62d65c56925c7b0e7d9332bd236a87a19
-  data.tar.gz: acfa6f1729a24eb67a3d0d76ec7db12b67c19f4c7b52a81867b63859b3f8fceb2981e4a025a8039fc5d0f47e3de874e7f716c714a8860cf86a4acaa54ea74c38
+  metadata.gz: 401499f54f4973a1cb93944728cd8fa8a8538eb328a41ff76de290050a437a60b37543c54189154029ee6e6d3b144cbd55612f4000079f2725065cce409f6c14
+  data.tar.gz: ece50dc5d0dd86534fec1225370232dc7029a039228fc3047379de0505d99a426cf8c036c7e918c10569e6499a74c49bf1047444be0009cf1a552c5879d0be01

data/README.md

@@ -1,8 +1,9 @@
 # MinimalistAuthentication
-A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and customize for your application.
 
+A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and customize for your application.
 
 ## Installation
+
 Add this line to your application's Gemfile:
 
 ```ruby
@@ -10,23 +11,27 @@ gem "minimalist_authentication"
 ```
 
 And then run:
+
 ```bash
-$ bundle
+bundle
 ```
 
 Create a user model with **email** for an identifier:
+
 ```bash
 bin/rails generate model user active:boolean email:string password_digest:string last_logged_in_at:datetime
 ```
 
 OR create a user model with **username** for an identifier:
+
 ```bash
 bin/rails generate model user active:boolean username:string password_digest:string last_logged_in_at:datetime
 ```
 
-
 ## Example
+
 Create a Current class that inherits from ActiveSupport::CurrentAttributes with a user attribute (app/models/current.rb)
+
 ```ruby
 class Current < ActiveSupport::CurrentAttributes
   attribute :user
@@ -34,6 +39,7 @@ end
 ```
 
 Include MinimalistAuthentication::User in your user model (app/models/user.rb)
+
 ```ruby
 class User < ApplicationRecord
   include MinimalistAuthentication::User
@@ -41,6 +47,7 @@ end
 ```
 
 Include MinimalistAuthentication::Controller in your ApplicationController (app/controllers/application.rb)
+
 ```ruby
 class ApplicationController < ActionController::Base
   include MinimalistAuthentication::Controller
@@ -48,6 +55,7 @@ end
 ```
 
 Include MinimalistAuthentication::Sessions in your SessionsController (app/controllers/sessions_controller.rb)
+
 ```ruby
 class SessionsController < ApplicationController
   include MinimalistAuthentication::Sessions
@@ -55,6 +63,7 @@ end
 ```
 
 Add session to your routes file (config/routes.rb)
+
 ```ruby
 Rails.application.routes.draw do
   resource :session, only: %i(new create destroy)
@@ -62,29 +71,35 @@ end
 ```
 
 Include Minimalist::TestHelper in your test helper (test/test_helper.rb)
+
 ```ruby
 class ActiveSupport::TestCase
   include MinimalistAuthentication::TestHelper
 end
 ```
 
-
 ## Configuration
+
 Customize the configuration with an initializer. Create a **minimalist_authentication.rb** file in config/initializers.
+
 ```ruby
 MinimalistAuthentication.configure do |configuration|
-  configuration.login_redirect_path       = :custom_path        # default is :root_path
-  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
-  configuration.request_email             = true                # default is true
-  configuration.session_key               = :custom_session_key # default is :user_id
-  configuration.user_model_name           = "CustomModelName"   # default is "::User"
-  configuration.validate_email            = true                # default is true
-  configuration.validate_email_presence   = true                # default is true
-  configuration.verify_email              = true                # default is true
+  configuration.account_setup_duration      = 3.days              # default: 1.day
+  configuration.email_verification_duration = 30.minutes          # default: 1.hour
+  configuration.login_redirect_path         = :custom_path        # default: :root_path
+  configuration.logout_redirect_path        = :custom_path        # default: :new_session_path
+  configuration.password_reset_duration     = 30.minutes          # default: 1.hour
+  configuration.request_email               = true                # default: true
+  configuration.session_key                 = :custom_session_key # default: :user_id
+  configuration.user_model_name             = "CustomModelName"   # default: "::User"
+  configuration.validate_email              = true                # default: true
+  configuration.validate_email_presence     = true                # default: true
+  configuration.verify_email                = true                # default: true
 end
 ```
 
 ### Example with a Person Model
+
 ```ruby
 MinimalistAuthentication.configure do |configuration|
   configuration.login_redirect_path     = :dashboard_path
@@ -94,18 +109,20 @@ MinimalistAuthentication.configure do |configuration|
 end
 ```
 
-
 ## Fixtures
+
 Use **MinimalistAuthentication::TestHelper::PASSWORD_DIGEST** to create a password_digest for fixture users.
+
 ```yaml
 example_user:
-  email:            user@example.com
-  password_digest:  <%= MinimalistAuthentication::TestHelper::PASSWORD_DIGEST %>
+  email: user@example.com
+  password_digest: <%= MinimalistAuthentication::TestHelper::PASSWORD_DIGEST %>
 ```
 
-
 ## Email Verification
+
 Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
+
 ```ruby
 class User < ApplicationRecord
   include MinimalistAuthentication::User
@@ -114,18 +131,37 @@ end
 ```
 
 Add the **email_verified_at** column to your user model:
+
 ```bash
 bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetime
 ```
 
-
 ## Verification Tokens
-Verification token support is provided by the ```ActiveRecord::TokenFor#generate_token_for``` method. MinimalistAuthentication includes token definitions for **password_reset** and **email_verification**. These tokens are utilized by the **update_password** and **verify_email** email messages respectively, to allow users to update their passwords and verify their email addresses.
 
-### Update Password
-The **update_password** token expires in 1 hour and is invalidated when the user's password is changed.
+Verification token support is provided by the `ActiveRecord::TokenFor#generate_token_for` method.
+MinimalistAuthentication includes token definitions for **account_setup**, **password_reset**, and **email_verification**.
+
+### Account Setup
+
+The **account_setup** token is used for new users to set their initial password.
+The token expires in 1 day and is invalidated when the user's password is changed.
 
 #### Example
+
+```ruby
+token = user.generate_token_for(:account_setup)
+User.find_by_token_for(:account_setup, token) # => user
+user.update!(password: "new password")
+User.find_by_token_for(:account_setup, token) # => nil
+```
+
+### Password Reset
+
+The **password_reset** token is used for existing users to reset their password.
+The token expires in 1 hour and is invalidated when the user's password is changed.
+
+#### Example
+
 ```ruby
 token = user.generate_token_for(:password_reset)
 User.find_by_token_for(:password_reset, token) # => user
@@ -134,9 +170,11 @@ User.find_by_token_for(:password_reset, token) # => nil
 ```
 
 ### Email Verification
+
 The **email_verification** token expires in 1 hour and is invalidated when the user's email is changed.
 
 #### Example
+
 ```ruby
 token = user.generate_token_for(:email_verification)
 User.find_by_token_for(:email_verification, token) # => user
@@ -144,10 +182,10 @@ user.update!(email: "new_email@example.com")
 User.find_by_token_for(:email_verification, token) # => nil
 ```
 
-
 ## Conversions
 
 ### Upgrading to Version 2.0
+
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database
 (crypted_password and salt). The 2.0 version of MinimalistAuthentication
@@ -155,9 +193,11 @@ uses BCrypt to hash passwords and stores the result in the **password_hash** fie
 
 To convert from a pre 2.0 version add the **password_hash** to your user model
 and run the conversion routine.
+
 ```bash
 bin/rails generate migration AddPasswordHashToUsers password_hash:string
 ```
+
 ```ruby
 MinimalistAuthentication::Conversions::MergePasswordHash.run!
 ```
@@ -166,15 +206,21 @@ When the conversion is complete the **crypted_password**, **salt**, and
 **using_digest_version** fields can safely be removed.
 
 ### Upgrading to Version 3.0
-Version 3.0 of MinimalistAuthentication uses the Rails has_secure_password for authentication. This change requires either renaming the **password_hash** column to **password_digest** or adding an alias_attribute to map **password_digest** to **password_hash**.
+
+Version 3.0 of MinimalistAuthentication uses the Rails has_secure_password for authentication.
+This change requires either renaming the **password_hash** column to **password_digest** or adding
+an alias_attribute to map **password_digest** to **password_hash**.
 
 #### Rename the **password_hash** column to **password_digest**
+
 Add a migration to rename the column in your users table:
+
 ```bash
 bin/rails generate migration rename_users_password_hash_to_password_digest
 ```
 
 Update the change method:
+
 ```ruby
 def change
   rename_column :users, :password_hash, :password_digest
@@ -182,13 +228,15 @@ end
 ```
 
 #### Alternatively, add **alias_attribute** to your user model
+
 ```ruby
 alias_attribute :password_digest, :password_hash
 ```
 
 ### Upgrading to Version 3.2
-The **verification_token** and **verification_token_generated_at** database columns are no longer used and can be safely removed from your user model.
 
+The **verification_token** and **verification_token_generated_at** database columns are no longer used and can be safely removed from your user model.
 
 ## License
-The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT)..
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/app/controllers/email_verifications_controller.rb

@@ -3,7 +3,7 @@
 class EmailVerificationsController < ApplicationController
   # Verifies the email of the current_user using the provided token
   def show
-    current_user.verify_email(params[:token])
+    current_user.verify_email_with(params[:token])
   end
 
   # Form for current_user to request an email verification email

data/app/controllers/password_resets_controller.rb

@@ -5,7 +5,10 @@ class PasswordResetsController < ApplicationController
 
   layout "sessions"
 
-  # Renders form for user to request a password reset
+  # Limit create requests by ip address
+  limit_creations
+
+  # Password reset request form
   def new
     # new.html.erb
   end
@@ -13,7 +16,7 @@ class PasswordResetsController < ApplicationController
   # Send a password update link to users with a verified email
   def create
     if email_valid?
-      send_update_password_email if user
+      send_update_password_email(user)
 
       # Always display notice to prevent leaking user emails
       redirect_to new_session_path, notice: t(".notice", email:)
@@ -29,12 +32,12 @@ class PasswordResetsController < ApplicationController
     params.dig(:user, :email)
   end
 
-  def send_update_password_email
-    MinimalistAuthenticationMailer.with(user:).update_password.deliver_now
+  def send_update_password_email(user)
+    MinimalistAuthenticationMailer.with(user:).update_password.deliver_now if user
   end
 
   def user
-    @user ||= MinimalistAuthentication.user_model.find_by_verified_email(email:)
+    MinimalistAuthentication.user_model.active.find_by(email:)
   end
 
   def email_valid?

data/app/controllers/passwords_controller.rb

@@ -1,41 +1,62 @@
 # frozen_string_literal: true
 
 class PasswordsController < ApplicationController
-  skip_before_action :authorization_required
+  ACTION_TOKEN_PURPOSES = ActiveSupport::HashWithIndifferentAccess.new(
+    new:    :account_setup,
+    create: :account_setup,
+    edit:   :password_reset,
+    update: :password_reset
+  ).freeze
+
+  attr_reader :user
 
-  before_action :validate_token, only: %i[edit update]
+  skip_before_action :authorization_required
+  before_action :authenticate_with_token
 
   layout "sessions"
 
-  # From for user to update password
+  # Set password form
+  def new
+    # new.html.erb
+  end
+
+  # Sets user password
+  def create
+    update_password(:new)
+  end
+
+  # Update password form
   def edit
     # edit.html.erb
   end
 
-  # Update user's password
+  # Resets user password
   def update
-    if user.update(password_params)
-      redirect_to new_session_path, notice: t(".notice")
-    else
-      render :edit, status: :unprocessable_content
-    end
+    update_password(:new)
   end
 
   private
 
-  def password_params
-    params.require(:user).permit(:password, :password_confirmation)
+  def authenticate_with_token
+    @token = params[:token]
+    @user = MinimalistAuthentication.user_model.active.find_by_token_for!(purpose, @token)
+  rescue ActiveRecord::RecordNotFound, ActiveSupport::MessageVerifier::InvalidSignature
+    redirect_to(new_session_path, alert: t(".invalid_token"))
   end
 
-  def token
-    @token ||= params[:token]
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
   end
 
-  def user
-    @user ||= MinimalistAuthentication.user_model.active.find_by_token_for(:password_reset, token)
+  def purpose
+    ACTION_TOKEN_PURPOSES[action_name]
   end
 
-  def validate_token
-    redirect_to(new_session_path, alert: t(".invalid_token")) unless user
+  def update_password(template)
+    if user.verified_update(password_params)
+      redirect_to new_session_path, notice: t(".notice")
+    else
+      render template, status: :unprocessable_content
+    end
   end
 end

data/app/helpers/minimalist_authentication/application_helper.rb

@@ -2,13 +2,17 @@
 
 module MinimalistAuthentication
   module ApplicationHelper
+    def ma_change_email_link
+      link_to("Change", edit_email_path)
+    end
+
     def ma_confirm_password_field(form, options = {})
       form.password_field(
         :password_confirmation,
         options.reverse_merge(
           autocomplete: "new-password",
           minlength:    MinimalistAuthentication.user_model.password_minimum,
-          placeholder:  t(".password_confirmation.placeholder"),
+          placeholder:  true,
           required:     true
         )
       )
@@ -36,7 +40,7 @@ module MinimalistAuthentication
         options.reverse_merge(
           autocomplete: "new-password",
           minlength:    MinimalistAuthentication.user_model.password_minimum,
-          placeholder:  t(".password.placeholder"),
+          placeholder:  true,
           required:     true
         )
       )
@@ -53,6 +57,10 @@ module MinimalistAuthentication
       )
     end
 
+    def ma_skip_link
+      link_to("Skip", login_redirect_to)
+    end
+
     def ma_username_field(form, options = {})
       form.text_field(
         :username,

data/app/views/email_verifications/new.html.erb

@@ -1,14 +1,12 @@
-<h2>Please verify your email address</h2>
+<h2><%= t(".title") %></h2>
 
 <p>
   <strong><%= current_user.email %></strong>
-  <em><%= link_to('change', edit_email_path) %></em>
+  <em><%= ma_change_email_link %></em>
 </p>
 
-<%= form_tag email_verification_path do |form| %>
-  <%= submit_tag 'Send Verification Email' %>
-<% end %>
+<%= button_to t(".button"), email_verification_path %>
 
-<p>Verifying your email will allow you to receive confidential messages and reset your password.</p>
+<p><%= t(".message") %></p>
 
-<%= link_to('Skip Email Verification', dashboard_path) %>
+<%= ma_skip_link %>

data/app/views/emails/edit.html.erb

@@ -1,12 +1,12 @@
-<h1>Email Update</h1>
+<h1><%= t(".title") %></h1>
 
-<h2>Please update your email address</h2>
+<h2><%= t(".instructions") %></h2>
 
 <%= form_with(model: current_user, url: email_path) do |form| %>
   <%= form.text_field :email %>
-  <%= form.submit "Update" %>
+  <%= form.submit t(".submit") %>
 <% end %>
 
-<p>Providing your email will allow you to receive confidential messages and reset your password.</p>
+<p><%= t(".message") %></p>
 
-<%= link_to("Skip Email Update", dashboard_path) %>
+<%= ma_skip_link %>

data/app/views/passwords/_form.html.erb

@@ -0,0 +1,16 @@
+<%# locals: (user:, token:, method: nil) %>
+
+<%= user.errors.full_messages if user.errors.any? %>
+
+<%= form_with(model: user, url: password_path(token: token), method:) do |form| %>
+  <div>
+    <%= form.label :password %>
+    <%= ma_new_password_field(form) %>
+  </div>
+  <div>
+    <%= form.label :password_confirmation %>
+    <%= ma_confirm_password_field(form) %>
+  </div>
+  <%= form.submit t(".submit") %>
+<% end %>
+

data/app/views/passwords/edit.html.erb

@@ -2,16 +2,4 @@
 
 <p><%= t(".instructions") %></p>
 
-<%= @user.errors.full_messages if @user.errors.any? %>
-
-<%= form_with model: @user, url: password_path(token: @token) do |form| %>
-  <div>
-    <%= form.label :password %>
-    <%= ma_new_password_field(form) %>
-  </div>
-  <div>
-    <%= form.label :password_confirmation %>
-    <%= ma_confirm_password_field(form) %>
-  </div>
-  <%= form.submit t(".submit") %>
-<% end %>
+<%= render("form", user: @user, token: @token) %>

data/app/views/passwords/new.html.erb

@@ -0,0 +1,5 @@
+<h1><%= t(".title") %></h1>
+
+<p><%= t(".instructions") %></p>
+
+<%= render("form", user: @user, token: @token, method: :post) %>

data/config/locales/minimalist_authentication.en.yml

@@ -2,9 +2,20 @@ en:
   email_verifications:
     create:
       notice: Verification email sent to %{email}, follow the instructions to complete verification. Thank you!
+    new:
+      button: Send Verification Email
+      message: Verifying your email will allow you to receive confidential messages.
+      title: Please verify your email address
   emails:
+    edit:
+      instructions: Please update your email address
+      message: Providing your email will allow you to receive confidential messages and reset your password.
+      submit: Update
+      title: Email Update
     update:
       notice: Email successfully updated
+  limit_creations:
+    alert: Please try again later.
   minimalist_authentication_mailer:
     update_password:
       opening: Please click the link below to update your password.
@@ -26,15 +37,14 @@ en:
   passwords:
     edit:
       instructions: Please enter your new password.
-      password:
-        placeholder: New password
-      password_confirmation:
-        placeholder: Confirm password
-      submit: Reset Password
       title: Reset Password
-    invalid_token: Your password reset link has expired. Please request a new one to continue.
-    update:
-      notice: Password successfully updated
+    form:
+      submit: Save Password
+    invalid_token: Your link has expired or is invalid. Please request a new one to continue.
+    new:
+      instructions: Choose a secure password to complete your account setup.
+      title: Complete Your Account Setup
+    notice: Password successfully updated
   sessions:
     create:
       alert: Couldn't log you in as %{identifier}

data/config/routes.rb

@@ -4,5 +4,5 @@ Rails.application.routes.draw do
   resource :email_verification, only: %i[show new create]
   resource :email,              only: %i[edit update]
   resource :password_reset,     only: %i[new create]
-  resource :password,           only: %i[edit update]
+  resource :password,           only: %i[new create edit update]
 end

data/lib/minimalist_authentication/configuration.rb

@@ -17,50 +17,42 @@ module MinimalistAuthentication
   end
 
   class Configuration
+    include ActiveModel::Attributes
+
+    # The duration for which the account_setup token is valid.
+    attribute :account_setup_duration, default: 1.day
+
+    # The duration for which the email_verification token is valid.
+    attribute :email_verification_duration, default: 1.hour
+
+    # Where to route users after a successful login.
+    attribute :login_redirect_path, default: :root_path
+
+    # Where to route users after logging out.
+    attribute :logout_redirect_path, default: :new_session_path
+
+    # The duration for which the password_reset token is valid.
+    attribute :password_reset_duration, default: 1.hour
+
+    # Check for users email at login and request if blank. Only useful if using
+    # username to login and users might not have an email set.
+    attribute :request_email, :boolean, default: true
+
     # The session_key used to store the current_user id.
-    # Defaults to :user_id
-    attr_accessor :session_key
+    attribute :session_key, default: :user_id
 
     # The application user class name
-    # Defaults to '::User'
-    attr_accessor :user_model_name
+    attribute :user_model_name, :string, default: "::User"
 
     # Toggle all email validations.
-    # Defaults to true.
-    attr_accessor :validate_email
+    attribute :validate_email, :boolean, default: true
 
     # Toggle email presence validation.
-    # Defaults to true.
     # Note: validate_email_presence is only checked if validate_email is true.
-    attr_accessor :validate_email_presence
-
-    # Check for users email at login and request if blank. Only useful if using
-    # username to login and users might not have an email set.
-    # Defaults to true
-    attr_accessor :request_email
+    attribute :validate_email_presence, :boolean, default: true
 
     # Verify users email address at login.
-    # Defaults to true.
-    attr_accessor :verify_email
-
-    # Where to route users after a successful login.
-    # Defaults to :root_path
-    attr_accessor :login_redirect_path
-
-    # Where to route users after logging out.
-    # Defaults to :new_session_path
-    attr_accessor :logout_redirect_path
-
-    def initialize
-      self.user_model_name          = "::User"
-      self.session_key              = :user_id
-      self.validate_email           = true
-      self.validate_email_presence  = true
-      self.request_email            = true
-      self.verify_email             = true
-      self.login_redirect_path      = :root_path
-      self.logout_redirect_path     = :new_session_path
-    end
+    attribute :verify_email, :boolean, default: true
 
     # Clear the user_model class
     def clear_user_model

data/lib/minimalist_authentication/controller.rb

@@ -14,7 +14,19 @@ module MinimalistAuthentication
 
       helper MinimalistAuthentication::ApplicationHelper
 
-      helper_method :current_user, :logged_in?, :authorized?
+      helper_method :authorized?, :current_user, :logged_in?, :login_redirect_to
+    end
+
+    module ClassMethods
+      def limit_creations(**)
+        rate_limit(
+          to:     10,
+          within: 3.minutes,
+          only:   :create,
+          with:   -> { redirect_to new_session_path, alert: t("limit_creations.alert") },
+          **
+        )
+      end
     end
 
     # Returns true if the user is logged in
@@ -33,6 +45,11 @@ module MinimalistAuthentication
       current_user.present?
     end
 
+    # Returns the path to redirect to after login
+    def login_redirect_to
+      public_send(MinimalistAuthentication.configuration.login_redirect_path)
+    end
+
     # Logs in a user by setting the session key and updating the Current user
     # Should only be called after a successful authentication
     def update_current_user(user)

data/lib/minimalist_authentication/email_verification.rb

@@ -5,7 +5,7 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
-      generates_token_for :email_verification, expires_in: 1.hour do
+      generates_token_for :email_verification, expires_in: email_verification_duration do
         email
       end
 
@@ -15,6 +15,8 @@ module MinimalistAuthentication
     end
 
     module ClassMethods
+      delegate :email_verification_duration, :password_reset_duration, to: "MinimalistAuthentication.configuration"
+
       def email_verified
         MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
           Calling #email_verified is deprecated.
@@ -40,8 +42,12 @@ module MinimalistAuthentication
       email_verification_enabled? && email.present? && email_verified_at.blank?
     end
 
-    def verify_email(token)
-      touch(:email_verified_at) if token_owner?(:email_verification, token)
+    def verified_update(attributes)
+      super(attributes.merge(email_verified_at: Time.current))
+    end
+
+    def verify_email_with(token)
+      verify_email if token_owner?(:email_verification, token)
     end
 
     private
@@ -57,5 +63,9 @@ module MinimalistAuthentication
     def request_email_enabled?
       MinimalistAuthentication.configuration.request_email
     end
+
+    def verify_email
+      touch(:email_verified_at)
+    end
   end
 end

data/lib/minimalist_authentication/sessions.rb

@@ -10,6 +10,10 @@ module MinimalistAuthentication
 
       skip_before_action  :authorization_required,    only: %i[new create]
       before_action       :redirect_logged_in_users,  only: :new
+
+      # Limit create requests by ip address and user identifier
+      limit_creations(to: 50)
+      limit_creations(by: -> { identifier&.downcase })
     end
 
     def new
@@ -80,11 +84,7 @@ module MinimalistAuthentication
     end
 
     def identifier
-      user_params.values_at(*MinimalistAuthentication::Authenticator::LOGIN_FIELDS).compact.first
-    end
-
-    def login_redirect_to
-      send(MinimalistAuthentication.configuration.login_redirect_path)
+      user_params[:email] || user_params[:username]
     end
 
     def logout_redirect_to

data/lib/minimalist_authentication/test_helper.rb

@@ -2,6 +2,7 @@
 
 module MinimalistAuthentication
   module TestHelper
+    NEW_PASSWORD = "abcdef123456"
     PASSWORD = "test-password"
     PASSWORD_DIGEST = BCrypt::Password.create(PASSWORD, cost: BCrypt::Engine::MIN_COST)
 

data/lib/minimalist_authentication/user.rb

@@ -7,10 +7,18 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
-      has_secure_password
+      has_secure_password reset_token: { expires_in: password_reset_duration }
 
-      generates_token_for :password_reset, expires_in: 1.hour do
-        password_salt.last(10)
+      # Tracks if password was explicitly set. Used to conditionally require password presence.
+      attribute :password_updated, :boolean, default: false
+
+      define_method(:password=) do |value|
+        self.password_updated = true
+        super(value)
+      end
+
+      generates_token_for :account_setup, expires_in: account_setup_duration do
+        password_salt&.last(10)
       end
 
       # Email validations
@@ -39,6 +47,8 @@ module MinimalistAuthentication
     end
 
     module ClassMethods
+      delegate :account_setup_duration, :password_reset_duration, to: "MinimalistAuthentication.configuration"
+
       # Finds a user by their id and returns the user if they are enabled.
       # Returns nil if the user is not found or not enabled.
       def find_enabled(id)
@@ -67,9 +77,9 @@ module MinimalistAuthentication
       active?
     end
 
-    # Remove the has_secure_password password blank error if user is inactive.
+    # Remove the has_secure_password password blank error when password is not required.
     def errors
-      super.tap { |errors| errors.delete(:password, :blank) if inactive? }
+      super.tap { |errors| errors.delete(:password, :blank) unless password_required? }
     end
 
     # Returns true if password matches the hashed_password, otherwise returns false.
@@ -100,8 +110,18 @@ module MinimalistAuthentication
       update_column(:last_logged_in_at, Time.current)
     end
 
+    # Overridden by EmailVerification to verify email upon update.
+    def verified_update(*)
+      update(*)
+    end
+
     private
 
+    # Password presence is required for active users who are updating their password.
+    def password_required?
+      active? && password_updated?
+    end
+
     # Return true if the user matches the owner of the provided token.
     def token_owner?(purpose, token)
       self.class.find_by_token_for(purpose, token) == self

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "3.2.4"
+  VERSION = "3.4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 3.2.4
+  version: 3.4.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -73,7 +73,9 @@ files:
 - app/views/minimalist_authentication_mailer/verify_email.html.erb
 - app/views/minimalist_authentication_mailer/verify_email.text.erb
 - app/views/password_resets/new.html.erb
+- app/views/passwords/_form.html.erb
 - app/views/passwords/edit.html.erb
+- app/views/passwords/new.html.erb
 - app/views/sessions/_form.html.erb
 - app/views/sessions/new.html.erb
 - config/locales/minimalist_authentication.en.yml
@@ -103,7 +105,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="