minimalist_authentication 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c706bf1ccf629eedb3a910b68a983ae2d4869f4d
-  data.tar.gz: 8d5f220c4f4ac6d91c445c3a946fc913ba5d1cbd
+  metadata.gz: 6646211204dbc15edbbe5a48d00546cdb826acde
+  data.tar.gz: 00dfd3515eb12f919abb0bff9da8e76823235065
 SHA512:
-  metadata.gz: aeb1bfee96f489dd77baa1c3fa9059fdcc3e335cc9b50e387be72c5efd6f859f92c4827783e4a51722bf6482edfd0c1f961e43d6c65b93dd6f2467786aebb3d2
-  data.tar.gz: a0e7282735c59607dc0373a8940885659b8df6981ffeefe6e47535f99cc23b0058ea4084a9a9233f73562811179a208f29628b744afdefdd593e468b1760d33e
+  metadata.gz: 06de541cfc8129ab8fc70e39b5a4d29cd565f4dfdd26a38225d40a7dc0d18bed65f0ef3b1fb6c7530af964ebb7e7393916a9c4247c4212f0e5f995c1471f6b8c
+  data.tar.gz: d21ffa2de1ff35cbea0d03cbacf59ad5b0e6163c802065c474d4d4b830d3d015c76f12f5d295a86d5d3603c44e7a63b47010cdcdc6144ce032a91a26f2753514

data/README.md

@@ -65,10 +65,15 @@ end
 Customize the configuration with an initializer. Create a **minimalist_authentication.rb** file in /Users/baldwina/git/brightways/config/initializers.
 ```ruby
 MinimalistAuthentication.configure do |configuration|
-  configuration.user_model_name   = 'CustomModelName'     # default is '::User'
-  configuration.session_key       = :custom_session_key   # default is ':user_id'
-  validate_email                  = true                  # default is true
-  validate_email_presence         = true                  # default is true
+  configuration.user_model_name           = 'CustomModelName'   # default is '::User'
+  configuration.session_key               = :custom_session_key # default is :user_id
+  configuration.validate_email            = true                # default is true
+  configuration.validate_email_presence   = true                # default is true
+  configuration.request_email             = true                # default is true
+  configuration.verify_email              = true                # default is true
+  configuration.login_redirect_path       = :custom_path        # default is :root_path
+  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
+  configuration.email_prefix              = '[Custom Prefix]'   # default is application name
 end
 ```
 
@@ -83,6 +88,41 @@ example_user:
 ```
 
 
+## Verification Tokens
+Verification token support is provided by the **MinimalistAuthentication::VerifiableToken**
+module. Include the module in your user class and add the verification token columns
+to the database.
+
+Include MinimalistAuthentication::VerifiableToken in your user model (app/models/user.rb)
+```ruby
+class User < ApplicationRecord
+  include MinimalistAuthentication::User
+  include MinimalistAuthentication::VerifiableToken
+end
+```
+
+Add the **verification_token** and **verification_token_generated_at** columns:
+Create a user model with **email** for an identifier:
+```bash
+bin/rails generate migration AddVerificationTokenToUsers verification_token:string:uniq verification_token_generated_at:datetime
+```
+
+### Email Verification
+Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
+```ruby
+class User < ApplicationRecord
+  include MinimalistAuthentication::User
+  include MinimalistAuthentication::VerifiableToken
+  include MinimalistAuthentication::EmailVerification
+end
+```
+
+Add the **email_verified_at** column to your user model:
+```bash
+bin/rails generate migration AddVerificationTokenToUsers verification_token:string:uniq verification_token_generated_at:datetime
+```
+
+
 ## Conversions
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database

data/app/controllers/email_verifications_controller.rb

@@ -0,0 +1,16 @@
+class EmailVerificationsController < ApplicationController
+  def new
+    # verify email for current_user
+  end
+
+  def create
+    current_user.regenerate_verification_token
+    MinimalistAuthenticationMailer.verify_email(current_user).deliver_now
+
+    redirect_to dashboard_path, notice: "Verification email sent to #{current_user.email}, follow the instructions to complete verification. Thank you!"
+  end
+
+  def show
+    current_user.verify_email(params[:token])
+  end
+end

data/app/controllers/emails_controller.rb

@@ -0,0 +1,22 @@
+class EmailsController < ApplicationController
+  def edit
+  end
+
+  def update
+    if current_user.update_attributes(user_params)
+      redirect_to update_redirect_path, notice: 'Email successfully updated'
+    else
+      render :edit
+    end
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email)
+  end
+
+  def update_redirect_path
+    current_user.needs_email_verification? ? new_email_verification_path : dashboard_path
+  end
+end

data/app/controllers/password_resets_controller.rb

@@ -0,0 +1,30 @@
+class PasswordResetsController < ApplicationController
+  skip_before_action :authorization_required
+
+  layout 'sessions'
+
+  # Form for user to request a password reset
+  def new
+    @user = MinimalistAuthentication.configuration.user_model.new
+  end
+
+  # Send a password update link to users with a verified email
+  def create
+    if user
+      user.regenerate_verification_token
+      MinimalistAuthenticationMailer.update_password(user).deliver_now
+    end
+    # always display notice even if the user was not found to prevent leaking user emails
+    redirect_to new_session_path, notice: "Password reset instructions were mailed to #{email_params[:email]}"
+  end
+
+  private
+
+  def user
+    @user ||= MinimalistAuthentication.configuration.user_model.active.email_verified.find_by(email_params)
+  end
+
+  def email_params
+    params.require(:user).permit(:email)
+  end
+end

data/app/controllers/passwords_controller.rb

@@ -0,0 +1,34 @@
+class PasswordsController < ApplicationController
+  skip_before_action :authorization_required
+
+  layout 'sessions'
+
+  # From for user to update password
+  def edit
+    redirect_to(new_session_path) unless user.matches_verification_token?(token)
+    # render passwords/edit.html.erb
+  end
+
+  # Update user's password
+  def update
+    if user.secure_update(token, password_params.merge(password_required: true))
+      redirect_to new_session_path, notice: 'Password successfully updated'
+    else
+      render :edit
+    end
+  end
+
+  private
+
+  def user
+    @user ||= User.find(params[:user_id])
+  end
+
+  def token
+    @token ||= params[:token]
+  end
+
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
+end

data/app/mailers/application_mailer.rb

@@ -0,0 +1,5 @@
+class ApplicationMailer < ActionMailer::Base
+  default from: 'from@example.com'
+  layout 'mailer'
+end
+

data/app/mailers/minimalist_authentication_mailer.rb

@@ -0,0 +1,22 @@
+class MinimalistAuthenticationMailer < ApplicationMailer
+  def verify_email(user)
+    @verify_email_link = email_verification_url(token: user.verification_token)
+    send_to(user, 'Email Address Verification')
+  end
+
+  def update_password(user)
+    @edit_password_link = edit_user_password_url(user, token: user.verification_token)
+    send_to(user, 'Update Password')
+  end
+
+  private
+
+  def send_to(user, subject)
+    @user = user
+    mail to: @user.email, subject: prefixed_subject(subject)
+  end
+
+  def prefixed_subject(subject)
+    "#{MinimalistAuthentication.configuration.email_prefix} #{subject}"
+  end
+end

data/app/views/email_verifications/new.html.erb

@@ -0,0 +1,14 @@
+<h2>Please verify your email address</h2>
+
+<p>
+  <strong><%= current_user.email %></strong>
+  <em><%= link_to('change', edit_email_path) %></em>
+</p>
+
+<%= form_tag email_verification_path do |form| %>
+  <%= submit_tag 'Send Verification Email' %>
+<% end %>
+
+<p>Verifying your email will allow you to receive confidential messages and reset your password.</p>
+
+<%= link_to('Skip Email Verification', dashboard_path) %>

data/app/views/email_verifications/show.html.erb

@@ -0,0 +1,10 @@
+<h1>Email Verification</h1>
+
+<% if current_user.email_verified? %>
+  <h2>Your email address has been verified</h2>
+<% else %>
+  <h2>Email address verification failed</h2>
+<% end %>
+<h2><%= current_user.email %></h2>
+
+<%= link_to('Go to Dashboard', dashboard_path) %>

data/app/views/emails/edit.html.erb

@@ -0,0 +1,12 @@
+<h1>Email Update</h1>
+
+<h2>Please update your email address</h2>
+
+<%= form_for(current_user, as: :user, url: email_path) do |form| %>
+  <%= form.text_field :email %>
+  <%= form.submit 'Update' %>
+<% end %>
+
+<p>Providing your email will allow you to receive confidential messages and reset your password.</p>
+
+<%= link_to('Skip Email Update', dashboard_path) %>

data/app/views/layouts/mailer.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      /* Email styles need to be inline */
+    </style>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/app/views/layouts/mailer.text.erb

@@ -0,0 +1 @@
+<%= yield %>

data/app/views/minimalist_authentication_mailer/update_password.html.erb

@@ -0,0 +1,3 @@
+<p><%= t('.opening') %></p>
+
+<%= link_to @edit_password_link, @edit_password_link %>

data/app/views/minimalist_authentication_mailer/update_password.text.erb

@@ -0,0 +1,3 @@
+<%= t('.opening') %>
+
+<%= @edit_password_link %>

data/app/views/minimalist_authentication_mailer/verify_email.html.erb

@@ -0,0 +1,5 @@
+<p><%= t('.opening') %></p>
+
+<%= link_to @verify_email_link, @verify_email_link %>
+
+<p><%= t('.closing') %></p>

data/app/views/minimalist_authentication_mailer/verify_email.text.erb

@@ -0,0 +1,5 @@
+<%= t('.opening') %>
+
+<%= @verify_email_link %>
+
+<%= t('.closing') %>

data/app/views/password_resets/new.html.erb

@@ -0,0 +1,13 @@
+<h1>Request Password Reset</h1>
+
+<p>
+  Enter your email address we'll send you a link to reset your password.
+</p>
+
+<%= form_for @user, as: :user, url: password_reset_path do |form| %>
+  <div>
+    <%= form.label      :email %>
+    <%= form.text_field :email %>
+  </div>
+  <%= form.submit 'Reset Password' %>
+<% end %>

data/app/views/passwords/edit.html.erb

@@ -0,0 +1,17 @@
+<h1>Edit Password</h1>
+
+<%= form_for @user, as: :user, url: user_password_path(@user, token: @token), html: { method: :put } do |form| %>
+  <div>
+    <%= form.label          :password %>
+    <%= form.password_field :password %>
+  </div>
+  <div>
+    <%= form.label          :password_confirmation %>
+    <%= form.password_field :password_confirmation %>
+  </div>
+  <%= form.submit 'Update Password' %>
+<% end %>
+
+<div class="field_with_errors" style: 'border-width:5px;'>
+  testing
+</div>

data/app/views/sessions/_form.html.erb

@@ -1,5 +1,11 @@
-<%= form_for :user, url: session_path do |form| %>
-  <%= form.text_field     :email %>
-  <%= form.password_field :password %>
+<%= form_for @user, url: session_path do |form| %>
+  <div>
+    <%= form.label          :email %>
+    <%= form.text_field     :email %>
+  </div>
+  <div>
+    <%= form.label          :password %>
+    <%= form.password_field :password %>
+  </div>
   <%= form.submit         'Log in' %>
 <% end %>

data/app/views/sessions/new.html.erb

@@ -1 +1,3 @@
+<h1>Login</h1>
 <%= render partial: 'form' %>
+<%= link_to 'I forgot', new_password_reset_path %>

data/config/locales/minimalist_authentication.en.yml

@@ -0,0 +1,7 @@
+en:
+  minimalist_authentication_mailer:
+    update_password:
+      opening: 'Please click the link below to update your password:'
+    verify_email:
+      opening: "Please click the link below to complete your email verification:"
+      closing: 'If you did not request email verification you can safely ignore this message.'

data/config/routes.rb

@@ -1,2 +1,10 @@
 Rails.application.routes.draw do
+  resources :user, only: [] do
+    resource :password,         only: %i(edit update)
+  end
+
+  resource :password_reset,     only: %i(new create)
+
+  resource :email,              only: %i(edit update)
+  resource :email_verification, only: %i(new create show)
 end

data/lib/minimalist_authentication.rb

@@ -1,6 +1,8 @@
 require 'minimalist_authentication/engine'
 require 'minimalist_authentication/configuration'
 require 'minimalist_authentication/user'
+require 'minimalist_authentication/verifiable_token'
+require 'minimalist_authentication/email_verification'
 require 'minimalist_authentication/password'
 require 'minimalist_authentication/null_password'
 require 'minimalist_authentication/controller'

data/lib/minimalist_authentication/configuration.rb

@@ -32,11 +32,37 @@ module MinimalistAuthentication
     # Note: validate_email_presence is only checked if validate_email is true.
     attr_accessor :validate_email_presence
 
+    # Check for users email at login and request if blank. Only useful if using
+    # username to login and users might not have an email set.
+    # Defaults to true
+    attr_accessor :request_email
+
+    # Vefify users email address at login.
+    # Defaults to true.
+    attr_accessor :verify_email
+
+    # Where to route users after a successful login.
+    # Defaults to :root_path
+    attr_accessor :login_redirect_path
+
+    # Where to route users after logging out.
+    # Defaults to :new_session_path
+    attr_accessor :logout_redirect_path
+
+    # Email subject prefix for MinimalistAuthenticationMailer messages
+    # Defaults to application name
+    attr_accessor :email_prefix
+
     def initialize
       self.user_model_name          = '::User'
       self.session_key              = :user_id
       self.validate_email           = true
       self.validate_email_presence  = true
+      self.request_email            = true
+      self.verify_email             = true
+      self.login_redirect_path      = :root_path
+      self.logout_redirect_path     = :new_session_path
+      self.email_prefix             = default_email_prefix
     end
 
     # Returns the user_model class
@@ -45,5 +71,11 @@ module MinimalistAuthentication
     def user_model
       @user_model ||= user_model_name.constantize
     end
+
+    private
+
+    def default_email_prefix
+      "[#{Rails.application.engine_name.gsub(/_application\z/, '').titleize}]"
+    end
   end
 end

data/lib/minimalist_authentication/email_verification.rb

@@ -0,0 +1,41 @@
+module MinimalistAuthentication
+  module EmailVerification
+    extend ActiveSupport::Concern
+
+    included do
+      before_save :clear_email_verification, if: ->(user) { user.email_changed? }
+
+      scope :email_verified, -> { where('LENGTH(email) > 2').where.not(email_verified_at: nil) }
+    end
+
+    def needs_email_set?
+      request_email_enabled? && email.blank?
+    end
+
+    def needs_email_verification?
+      email_verification_enabled? && email.present? && email_verified_at.blank?
+    end
+
+    def email_verified?
+      email.present? && email_verified_at.present?
+    end
+
+    def verify_email(token)
+      secure_update(token, email_verified_at: Time.zone.now)
+    end
+
+    private
+
+    def request_email_enabled?
+      MinimalistAuthentication.configuration.request_email
+    end
+
+    def email_verification_enabled?
+      MinimalistAuthentication.configuration.verify_email
+    end
+
+    def clear_email_verification
+      self.email_verified_at = nil
+    end
+  end
+end

data/lib/minimalist_authentication/sessions.rb

@@ -8,7 +8,7 @@ module MinimalistAuthentication
     end
 
     def new
-      @user = MinimalistAuthentication.configuration.user_model.new
+      new_user
     end
 
     def create
@@ -16,7 +16,7 @@ module MinimalistAuthentication
         scrub_session!
         authenticated_user.logged_in
         session[MinimalistAuthentication.configuration.session_key] = authenticated_user.id
-        after_authentication_success
+        set_or_verify_email || after_authentication_success
         return
       else
         after_authentication_failure
@@ -31,6 +31,10 @@ module MinimalistAuthentication
 
     private
 
+    def new_user
+      @user ||= MinimalistAuthentication.configuration.user_model.new
+    end
+
     def authenticated_user
       @authenticated_user ||= MinimalistAuthentication.configuration.user_model.authenticate(user_params)
     end
@@ -39,12 +43,28 @@ module MinimalistAuthentication
       @user_params ||= params.require(:user).permit(:email, :username, :password)
     end
 
+    def set_or_verify_email
+      if authenticated_user.needs_email_set?
+        redirect_to edit_email_path
+      elsif authenticated_user.needs_email_verification? && !attempting_to_verify?
+        redirect_to new_email_verification_path
+      else
+        false
+      end
+    end
+
     def after_authentication_success
       redirect_back_or_default(login_redirect_to)
     end
 
+    def attempting_to_verify?
+      # check if user is attpting to verify their email
+      session['return_to'].to_s[/token/]
+    end
+
     def after_authentication_failure
       flash.now[:alert] = "Couldn't log you in as '#{user_params[:email] || user_params[:username]}'"
+      new_user
       render :new
     end
 
@@ -55,11 +75,11 @@ module MinimalistAuthentication
     end
 
     def login_redirect_to
-      root_path
+      send(MinimalistAuthentication.configuration.login_redirect_path)
     end
 
     def logout_redirect_to
-      new_session_path
+      send(MinimalistAuthentication.configuration.logout_redirect_path)
     end
   end
 end

data/lib/minimalist_authentication/user.rb

@@ -4,32 +4,37 @@ module MinimalistAuthentication
   module User
     extend ActiveSupport::Concern
 
-    GUEST_USER_EMAIL = 'guest'
-    EMAIL_REGEX = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
+    GUEST_USER_EMAIL  = 'guest'
+    EMAIL_REGEX       = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
+    PASSWORD_MIN      = 8
+    PASSWORD_MAX      = 40
 
     included do
       # Stores the plain text password.
       attr_accessor :password
 
+      # Force validations for a blank password.
+      attr_accessor :password_required
+
       # Hashes and stores the password on save.
       before_save :hash_password
 
       # Email validations
-      validates_presence_of     :email,                                       if: :validate_email_presence?
-      validates_uniqueness_of   :email, allow_blank: true,                    if: :validate_email?
-      validates_format_of       :email, allow_blank: true, with: EMAIL_REGEX, if: :validate_email?
+      validates_presence_of     :email,                                         if: :validate_email_presence?
+      validates_uniqueness_of   :email, allow_blank: true,                      if: :validate_email?
+      validates_format_of       :email, allow_blank: true, with: EMAIL_REGEX,   if: :validate_email?
 
       # Password validations
-      validates_presence_of     :password,                  if: :validate_password?
-      validates_confirmation_of :password,                  if: :validate_password?
-      validates_length_of       :password, within: 8..40,   if: :validate_password?
+      validates_presence_of     :password,                                      if: :validate_password?
+      validates_confirmation_of :password,                                      if: :validate_password?
+      validates_length_of       :password, within: PASSWORD_MIN..PASSWORD_MAX,  if: :validate_password?
 
       # Active scope
       scope :active, ->(active = true) { where active: active }
     end
 
     module ClassMethods
-      # Authenticates a user form the params provied. Expects a params hash with
+      # Authenticates a user form the params provided. Expects a params hash with
       # email or username and passwod keys.
       # Params examples:
       # { email: 'user@example.com', password: 'abc123' }
@@ -103,9 +108,10 @@ module MinimalistAuthentication
     end
 
     # Requre password for active users that either do no have a password hash
-    # stored OR are attempting to set a new password.
+    # stored OR are attempting to set a new password. Set **password_required**
+    # to true to force validations even when the password field is blank.
     def validate_password?
-      active? && (password_hash.blank? || password.present?)
+      active? && (password_hash.blank? || password.present? || password_required)
     end
 
     # Validate email for active users.

data/lib/minimalist_authentication/verifiable_token.rb

@@ -0,0 +1,51 @@
+module MinimalistAuthentication
+  module VerifiableToken
+    extend ActiveSupport::Concern
+
+    TOKEN_EXPIRATION_HOURS = 6
+
+    # generate secure verification_token and record generation time
+    def regenerate_verification_token
+      update_token
+    end
+
+    def secure_update(token, attributes)
+      if matches_verification_token?(token)
+        update(attributes) && clear_token
+      else
+        errors.add(:base, 'Verfication token check failed')
+        return false
+      end
+    end
+
+    def matches_verification_token?(token)
+      verification_token_valid? && secure_match?(token)
+    end
+
+    def verification_token_valid?
+      return false if verification_token.blank? || verification_token_generated_at.blank?
+      verification_token_generated_at > TOKEN_EXPIRATION_HOURS.hours.ago
+    end
+
+    private
+
+    def clear_token
+      update_token(token: nil, time: nil)
+    end
+
+    def update_token(token: self.class.generate_unique_secure_token, time: Time.now.utc)
+      update!(
+        verification_token:               token,
+        verification_token_generated_at:  time
+      )
+    end
+
+    # Compare the tokens in a time-constant manner, to mitigate timing attacks.
+    def secure_match?(token)
+      ActiveSupport::SecurityUtils.secure_compare(
+        ::Digest::SHA256.hexdigest(token),
+        ::Digest::SHA256.hexdigest(verification_token)
+      )
+    end
+  end
+end

data/lib/minimalist_authentication/version.rb

@@ -1,3 +1,3 @@
 module MinimalistAuthentication
-  VERSION = '2.0.0'
+  VERSION = '2.1.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-18 00:00:00.000000000 Z
+date: 2017-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -71,19 +71,39 @@ files:
 - README.md
 - Rakefile
 - app/assets/config/minimalist_authentication_manifest.js
+- app/controllers/email_verifications_controller.rb
+- app/controllers/emails_controller.rb
+- app/controllers/password_resets_controller.rb
+- app/controllers/passwords_controller.rb
+- app/mailers/application_mailer.rb
+- app/mailers/minimalist_authentication_mailer.rb
+- app/views/email_verifications/new.html.erb
+- app/views/email_verifications/show.html.erb
+- app/views/emails/edit.html.erb
+- app/views/layouts/mailer.html.erb
+- app/views/layouts/mailer.text.erb
+- app/views/minimalist_authentication_mailer/update_password.html.erb
+- app/views/minimalist_authentication_mailer/update_password.text.erb
+- app/views/minimalist_authentication_mailer/verify_email.html.erb
+- app/views/minimalist_authentication_mailer/verify_email.text.erb
+- app/views/password_resets/new.html.erb
+- app/views/passwords/edit.html.erb
 - app/views/sessions/_form.html.erb
 - app/views/sessions/new.html.erb
+- config/locales/minimalist_authentication.en.yml
 - config/routes.rb
 - lib/minimalist_authentication.rb
 - lib/minimalist_authentication/configuration.rb
 - lib/minimalist_authentication/controller.rb
 - lib/minimalist_authentication/conversions/merge_password_hash.rb
+- lib/minimalist_authentication/email_verification.rb
 - lib/minimalist_authentication/engine.rb
 - lib/minimalist_authentication/null_password.rb
 - lib/minimalist_authentication/password.rb
 - lib/minimalist_authentication/sessions.rb
 - lib/minimalist_authentication/test_helper.rb
 - lib/minimalist_authentication/user.rb
+- lib/minimalist_authentication/verifiable_token.rb
 - lib/minimalist_authentication/version.rb
 - lib/tasks/minimalist_authentication_tasks.rake
 homepage: https://github.com/wwidea/minimalist_authentication