minimalist_authentication 3.3.0 → 3.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/password_resets_controller.rb +4 -1
- data/app/controllers/passwords_controller.rb +3 -2
- data/config/locales/minimalist_authentication.en.yml +2 -0
- data/lib/minimalist_authentication/controller.rb +12 -0
- data/lib/minimalist_authentication/sessions.rb +5 -1
- data/lib/minimalist_authentication/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 30a0e5b2c5f11655889d24977dc758a7742a83621143a0a217838277d115325d
|
|
4
|
+
data.tar.gz: 86833ecb6f4e387fa385f3f5de89f0b17073ee291f706626a543c3858879d90b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 401499f54f4973a1cb93944728cd8fa8a8538eb328a41ff76de290050a437a60b37543c54189154029ee6e6d3b144cbd55612f4000079f2725065cce409f6c14
|
|
7
|
+
data.tar.gz: ece50dc5d0dd86534fec1225370232dc7029a039228fc3047379de0505d99a426cf8c036c7e918c10569e6499a74c49bf1047444be0009cf1a552c5879d0be01
|
|
@@ -5,7 +5,10 @@ class PasswordResetsController < ApplicationController
|
|
|
5
5
|
|
|
6
6
|
layout "sessions"
|
|
7
7
|
|
|
8
|
-
#
|
|
8
|
+
# Limit create requests by ip address
|
|
9
|
+
limit_creations
|
|
10
|
+
|
|
11
|
+
# Password reset request form
|
|
9
12
|
def new
|
|
10
13
|
# new.html.erb
|
|
11
14
|
end
|
|
@@ -39,8 +39,9 @@ class PasswordsController < ApplicationController
|
|
|
39
39
|
|
|
40
40
|
def authenticate_with_token
|
|
41
41
|
@token = params[:token]
|
|
42
|
-
@user = MinimalistAuthentication.user_model.active.find_by_token_for(purpose, @token)
|
|
43
|
-
|
|
42
|
+
@user = MinimalistAuthentication.user_model.active.find_by_token_for!(purpose, @token)
|
|
43
|
+
rescue ActiveRecord::RecordNotFound, ActiveSupport::MessageVerifier::InvalidSignature
|
|
44
|
+
redirect_to(new_session_path, alert: t(".invalid_token"))
|
|
44
45
|
end
|
|
45
46
|
|
|
46
47
|
def password_params
|
|
@@ -17,6 +17,18 @@ module MinimalistAuthentication
|
|
|
17
17
|
helper_method :authorized?, :current_user, :logged_in?, :login_redirect_to
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
+
module ClassMethods
|
|
21
|
+
def limit_creations(**)
|
|
22
|
+
rate_limit(
|
|
23
|
+
to: 10,
|
|
24
|
+
within: 3.minutes,
|
|
25
|
+
only: :create,
|
|
26
|
+
with: -> { redirect_to new_session_path, alert: t("limit_creations.alert") },
|
|
27
|
+
**
|
|
28
|
+
)
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
20
32
|
# Returns true if the user is logged in
|
|
21
33
|
# Override this method in your controller to customize authorization
|
|
22
34
|
def authorized?(_action = action_name, _resource = controller_name)
|
|
@@ -10,6 +10,10 @@ module MinimalistAuthentication
|
|
|
10
10
|
|
|
11
11
|
skip_before_action :authorization_required, only: %i[new create]
|
|
12
12
|
before_action :redirect_logged_in_users, only: :new
|
|
13
|
+
|
|
14
|
+
# Limit create requests by ip address and user identifier
|
|
15
|
+
limit_creations(to: 50)
|
|
16
|
+
limit_creations(by: -> { identifier&.downcase })
|
|
13
17
|
end
|
|
14
18
|
|
|
15
19
|
def new
|
|
@@ -80,7 +84,7 @@ module MinimalistAuthentication
|
|
|
80
84
|
end
|
|
81
85
|
|
|
82
86
|
def identifier
|
|
83
|
-
user_params
|
|
87
|
+
user_params[:email] || user_params[:username]
|
|
84
88
|
end
|
|
85
89
|
|
|
86
90
|
def logout_redirect_to
|