minimalist_authentication 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb8cc19088eea71ab56f803fe72724911988a9dea1eaf2df45ab6eab1127fea9
-  data.tar.gz: 648dad4be8864624cf3bc9158c9cc207fc19da57256c363415c2c4b3cbe6b3ef
+  metadata.gz: ba64bc8499dedd0f4fe8dfca813cc0c21e2d32759bd3b3b4dd8aac3c0e77605a
+  data.tar.gz: 566e4b373c274fd7843469d4d225560baf877aabde97658b1aa5a66f3c97f65e
 SHA512:
-  metadata.gz: fdce2aed67b60fb4adc4d6227523001c52099ea9df6458aa420ce89616467986e05e12362afba71811502d25ab406e2356d2857bc62f640ce7942dc00dc408f4
-  data.tar.gz: a9c0c9ac343602975b60415c0b53c13e50f748e08a63bf37a1ecb6ca64c20eea1e4e6402096c1900b45255cd13ee736a0ef664cce7a25639fccf73486ede9e12
+  metadata.gz: 149c5f1eb8a13319ba9d4848a7851107433d96081ed9a1bf01e43cba0366cb1e873aaa47c10eefed29aba9b973bf53076ecefd6d7b6835bb1a9300a4db8813fc
+  data.tar.gz: 51aae04db4c7bcdf4a26009fc1278aa716aea12d95624fe74ffd21fb9d52e0c901ec78d15751df92c2ce2882544a54b80f623e72a53703e1a67b88072662aed9

data/README.md

@@ -1,15 +1,15 @@
 # MinimalistAuthentication
-A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and modify for your application.
+A Rails authentication gem that takes a minimalist approach. It is designed to be simple to understand, use, and customize for your application.
 
 
 ## Installation
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'minimalist_authentication'
+gem "minimalist_authentication"
 ```
 
-And then execute:
+And then run:
 ```bash
 $ bundle
 ```
@@ -61,18 +61,29 @@ class ActiveSupport::TestCase
 end
 ```
 
+
 ## Configuration
 Customize the configuration with an initializer. Create a **minimalist_authentication.rb** file in config/initializers.
 ```ruby
 MinimalistAuthentication.configure do |configuration|
-  configuration.user_model_name           = 'CustomModelName'   # default is '::User'
+  configuration.login_redirect_path       = :custom_path        # default is :root_path
+  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
+  configuration.request_email             = true                # default is true
   configuration.session_key               = :custom_session_key # default is :user_id
+  configuration.user_model_name           = "CustomModelName"   # default is "::User"
   configuration.validate_email            = true                # default is true
   configuration.validate_email_presence   = true                # default is true
-  configuration.request_email             = true                # default is true
   configuration.verify_email              = true                # default is true
-  configuration.login_redirect_path       = :custom_path        # default is :root_path
-  configuration.logout_redirect_path      = :custom_path        # default is :new_session_path
+end
+```
+
+### Example with a Person Model
+```ruby
+MinimalistAuthentication.configure do |configuration|
+  configuration.login_redirect_path     = :dashboard_path
+  configuration.session_key             = :person_id
+  configuration.user_model_name         = "Person"
+  configuration.validate_email_presence = false
 end
 ```
 
@@ -86,38 +97,44 @@ example_user:
 ```
 
 
-## Verification Tokens
-Verification token support is provided by the **MinimalistAuthentication::VerifiableToken**
-module. Include the module in your user class and add the verification token columns
-to the database.
-
-Include MinimalistAuthentication::VerifiableToken in your user model (app/models/user.rb)
+## Email Verification
+Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
 ```ruby
 class User < ApplicationRecord
   include MinimalistAuthentication::User
-  include MinimalistAuthentication::VerifiableToken
+  include MinimalistAuthentication::EmailVerification
 end
 ```
 
-Add the **verification_token** and **verification_token_generated_at** columns:
-Create a user model with **email** for an identifier:
+Add the **email_verified_at** column to your user model:
 ```bash
-bin/rails generate migration AddVerificationTokenToUsers verification_token:string:uniq verification_token_generated_at:datetime
+bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetime
 ```
 
-### Email Verification
-Include MinimalistAuthentication::EmailVerification in your user model (app/models/user.rb)
+
+## Verification Tokens
+Verification token support is provided by the ```ActiveRecord::TokenFor#generate_token_for``` method. MinimalistAuthentication includes token definitions for **password_reset** and **email_verification**. These tokens are utilized by the **update_password** and **verify_email** email messages respectively, to allow users to update their passwords and verify their email addresses.
+
+### Update Password
+The **update_password** token expires in 1 hour and is invalidated when the user's password is changed.
+
+#### Example
 ```ruby
-class User < ApplicationRecord
-  include MinimalistAuthentication::User
-  include MinimalistAuthentication::VerifiableToken
-  include MinimalistAuthentication::EmailVerification
-end
+token = user.generate_token_for(:password_reset)
+User.find_by_token_for(:password_reset, token) # => user
+user.update!(password: "new password")
+User.find_by_token_for(:password_reset, token) # => nil
 ```
 
-Add the **email_verified_at** column to your user model:
-```bash
-bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetime
+### Email Verification
+The **email_verification** token expires in 1 hour and is invalidated when the user's email is changed.
+
+#### Example
+```ruby
+token = user.generate_token_for(:email_verification)
+User.find_by_token_for(:email_verification, token) # => user
+user.update!(email: "new_email@example.com")
+User.find_by_token_for(:email_verification, token) # => nil
 ```
 
 
@@ -126,7 +143,7 @@ bin/rails generate migration AddEmailVerifiedAtToUsers email_verified_at:datetim
 ### Upgrading to Version 2.0
 Pre 2.0 versions of MinimalistAuthentication supported multiple hash algorithms
 and stored the hashed password and salt as separate fields in the database
-(crypted_password and salt). The current version of MinimalistAuthentication
+(crypted_password and salt). The 2.0 version of MinimalistAuthentication
 uses BCrypt to hash passwords and stores the result in the **password_hash** field.
 
 To convert from a pre 2.0 version add the **password_hash** to your user model
@@ -162,5 +179,9 @@ end
 alias_attribute :password_digest, :password_hash
 ```
 
+### Upgrading to Version 3.2
+The **verification_token** and **verification_token_generated_at** database columns are no longer used and can be safely removed from your user model.
+
+
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT)..

data/app/controllers/email_verifications_controller.rb

@@ -1,18 +1,19 @@
 # frozen_string_literal: true
 
 class EmailVerificationsController < ApplicationController
+  # Verifies the email of the current_user using the provided token
   def show
     current_user.verify_email(params[:token])
   end
 
+  # Form for current_user to request an email verification email
   def new
-    # verify email for current_user
+    # new.html.erb
   end
 
+  # Sends an email verification email to the current_user
   def create
-    current_user.regenerate_verification_token
     MinimalistAuthenticationMailer.with(user: current_user).verify_email.deliver_now
-
     redirect_to dashboard_path, notice: t(".notice", email: current_user.email)
   end
 end

data/app/controllers/emails_controller.rb

@@ -7,7 +7,7 @@ class EmailsController < ApplicationController
     if current_user.update(user_params)
       redirect_to update_redirect_path, notice: t(".notice")
     else
-      render :edit
+      render :edit, status: :unprocessable_entity
     end
   end
 

data/app/controllers/password_resets_controller.rb

@@ -5,30 +5,39 @@ class PasswordResetsController < ApplicationController
 
   layout "sessions"
 
-  # Form for user to request a password reset
+  # Renders form for user to request a password reset
   def new
-    @user = MinimalistAuthentication.configuration.user_model.new
+    # new.html.erb
   end
 
   # Send a password update link to users with a verified email
   def create
-    if user
-      user.regenerate_verification_token
-      MinimalistAuthenticationMailer.with(user:).update_password.deliver_now
+    if email_valid?
+      send_update_password_email if user
+
+      # Always display notice to prevent leaking user emails
+      redirect_to new_session_path, notice: t(".notice", email:)
+    else
+      flash.now.alert = t(".alert")
+      render :new, status: :unprocessable_entity
     end
-    # always display notice even if the user was not found to prevent leaking user emails
-    redirect_to new_session_path, notice: "Password reset instructions were mailed to #{email}"
   end
 
   private
 
-  def user
-    return unless URI::MailTo::EMAIL_REGEXP.match?(email)
+  def email
+    params.dig(:user, :email)
+  end
 
-    @user ||= MinimalistAuthentication.configuration.user_model.active.email_verified.find_by(email:)
+  def send_update_password_email
+    MinimalistAuthenticationMailer.with(user:).update_password.deliver_now
   end
 
-  def email
-    params.dig(:user, :email)
+  def user
+    @user ||= MinimalistAuthentication.user_model.find_by_verified_email(email:)
+  end
+
+  def email_valid?
+    URI::MailTo::EMAIL_REGEXP.match?(email)
   end
 end

data/app/controllers/passwords_controller.rb

@@ -3,34 +3,39 @@
 class PasswordsController < ApplicationController
   skip_before_action :authorization_required
 
+  before_action :validate_token, only: %i[edit update]
+
   layout "sessions"
 
   # From for user to update password
   def edit
-    redirect_to(new_session_path) unless user.matches_verification_token?(token)
-    # render passwords/edit.html.erb
+    # edit.html.erb
   end
 
   # Update user's password
   def update
-    if user.secure_update(token, password_params.merge(password_required: true))
+    if user.update(password_params.merge(password_required: true))
       redirect_to new_session_path, notice: t(".notice")
     else
-      render :edit
+      render :edit, status: :unprocessable_entity
     end
   end
 
   private
 
-  def user
-    @user ||= MinimalistAuthentication.configuration.user_model.find(params[:user_id])
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
   end
 
   def token
     @token ||= params[:token]
   end
 
-  def password_params
-    params.require(:user).permit(:password, :password_confirmation)
+  def user
+    @user ||= MinimalistAuthentication.user_model.active.find_by_token_for(:password_reset, token)
+  end
+
+  def validate_token
+    redirect_to(new_session_path, alert: t(".invalid_token")) unless user
   end
 end

data/app/helpers/minimalist_authentication/application_helper.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module MinimalistAuthentication
+  module ApplicationHelper
+    def ma_confirm_password_field(form, options = {})
+      form.password_field(
+        :password_confirmation,
+        options.reverse_merge(
+          autocomplete: "new-password",
+          minlength:    MinimalistAuthentication.user_model.password_minimum,
+          placeholder:  t(".password_confirmation.placeholder"),
+          required:     true
+        )
+      )
+    end
+
+    def ma_email_field(form, options = {})
+      form.email_field(
+        :email,
+        options.reverse_merge(
+          autocomplete: "email",
+          autofocus:    true,
+          placeholder:  t(".email.placeholder", default: true),
+          required:     true
+        )
+      )
+    end
+
+    def ma_forgot_password_link
+      link_to(t(".forgot_password"), new_password_reset_path)
+    end
+
+    def ma_new_password_field(form, options = {})
+      form.password_field(
+        :password,
+        options.reverse_merge(
+          autocomplete: "new-password",
+          minlength:    MinimalistAuthentication.user_model.password_minimum,
+          placeholder:  t(".password.placeholder"),
+          required:     true
+        )
+      )
+    end
+
+    def ma_password_field(form, options = {})
+      form.password_field(
+        :password,
+        options.reverse_merge(
+          autocomplete: "current-password",
+          placeholder:  true,
+          required:     true
+        )
+      )
+    end
+
+    def ma_username_field(form, options = {})
+      form.text_field(
+        :username,
+        options.reverse_merge(
+          autocomplete: "username",
+          autofocus:    true,
+          placeholder:  true,
+          required:     true
+        )
+      )
+    end
+  end
+end

data/app/mailers/minimalist_authentication_mailer.rb

@@ -5,11 +5,11 @@ class MinimalistAuthenticationMailer < ApplicationMailer
   after_action :mail_user
 
   def verify_email
-    @verify_email_link = email_verification_url(token: @user.verification_token)
+    @verify_email_url = email_verification_url(token: @user.generate_token_for(:email_verification))
   end
 
   def update_password
-    @edit_password_link = edit_user_password_url(@user, token: @user.verification_token)
+    @edit_password_url = edit_password_url(token: @user.generate_token_for(:password_reset))
   end
 
   private

data/app/views/email_verifications/show.html.erb

@@ -7,4 +7,4 @@
 <% end %>
 <h2><%= current_user.email %></h2>
 
-<%= link_to('Go to Dashboard', dashboard_path) %>
+<%= link_to("Go to Dashboard", dashboard_path) %>

data/app/views/emails/edit.html.erb

@@ -2,11 +2,11 @@
 
 <h2>Please update your email address</h2>
 
-<%= form_for(current_user, as: :user, url: email_path) do |form| %>
+<%= form_with(model: current_user, url: email_path) do |form| %>
   <%= form.text_field :email %>
-  <%= form.submit 'Update' %>
+  <%= form.submit "Update" %>
 <% end %>
 
 <p>Providing your email will allow you to receive confidential messages and reset your password.</p>
 
-<%= link_to('Skip Email Update', dashboard_path) %>
+<%= link_to("Skip Email Update", dashboard_path) %>

data/app/views/minimalist_authentication_mailer/update_password.html.erb

@@ -1,3 +1,5 @@
 <p><%= t('.opening') %></p>
 
-<%= link_to @edit_password_link, @edit_password_link %>
+<p>
+  <%= link_to("Update Password", @edit_password_url, rel: "noopener noreferrer", target: "_blank") %>
+</p>

data/app/views/minimalist_authentication_mailer/update_password.text.erb

@@ -1,3 +1,3 @@
-<%= t('.opening') %>
+<%= t(".opening") %>
 
-<%= @edit_password_link %>
+<%= @edit_password_url %>

data/app/views/minimalist_authentication_mailer/verify_email.html.erb

@@ -1,5 +1,11 @@
-<p><%= t('.opening') %></p>
+<p>
+  <%= t(".opening") %>
+</p>
 
-<%= link_to @verify_email_link, @verify_email_link %>
+<p>
+  <%= link_to("Verify Email Address", @verify_email_url, rel: "noopener noreferrer", target: "_blank") %>
+</p>
 
-<p><%= t('.closing') %></p>
+<p>
+  <%= t(".closing") %>
+</p>

data/app/views/minimalist_authentication_mailer/verify_email.text.erb

@@ -1,5 +1,5 @@
-<%= t('.opening') %>
+<%= t(".opening") %>
 
-<%= @verify_email_link %>
+<%= @verify_email_url %>
 
-<%= t('.closing') %>
+<%= t(".closing") %>

data/app/views/password_resets/new.html.erb

@@ -1,13 +1,12 @@
-<h1>Request Password Reset</h1>
+<h1><%= t(".title") %></h1>
 
 <p>
-  Enter your email address we'll send you a link to reset your password.
+  <%= t(".instructions") %>
 </p>
 
-<%= form_for @user, as: :user, url: password_reset_path do |form| %>
+<%= form_with scope: :user, url: password_reset_path do |form| %>
   <div>
-    <%= form.label      :email %>
-    <%= form.text_field :email %>
+    <%= ma_email_field(form) %>
   </div>
-  <%= form.submit 'Reset Password' %>
+  <%= form.submit t(".submit") %>
 <% end %>

data/app/views/passwords/edit.html.erb

@@ -1,15 +1,17 @@
-<h1>Edit Password</h1>
+<h1><%= t(".title") %></h1>
+
+<p><%= t(".instructions") %></p>
 
 <%= @user.errors.full_messages if @user.errors.any? %>
 
-<%= form_for @user, as: :user, url: user_password_path(@user, token: @token), html: { method: :put } do |form| %>
+<%= form_with model: @user, url: password_path(token: @token) do |form| %>
   <div>
-    <%= form.label          :password %>
-    <%= form.password_field :password %>
+    <%= form.label :password %>
+    <%= ma_new_password_field(form) %>
   </div>
   <div>
-    <%= form.label          :password_confirmation %>
-    <%= form.password_field :password_confirmation %>
+    <%= form.label :password_confirmation %>
+    <%= ma_confirm_password_field(form) %>
   </div>
-  <%= form.submit 'Update Password' %>
+  <%= form.submit t(".submit") %>
 <% end %>

data/app/views/sessions/_form.html.erb

@@ -1,11 +1,11 @@
-<%= form_for @user, url: session_path do |form| %>
+<%= form_with model: @user, url: session_path do |form| %>
   <div>
-    <%= form.label          :email %>
-    <%= form.text_field     :email %>
+    <%= form.label :email %>
+    <%= ma_email_field(form) %>
   </div>
-  <div>
-    <%= form.label          :password %>
-    <%= form.password_field :password %>
+  <div style="margin-top: 8px;">
+    <%= form.label :password %>
+    <%= ma_password_field(form) %>
   </div>
-  <%= form.submit         'Log in' %>
+  <%= form.submit t("sessions.new.submit") %>
 <% end %>

data/app/views/sessions/new.html.erb

@@ -1,3 +1,3 @@
-<h1>Login</h1>
-<%= render partial: 'form' %>
-<%= link_to 'I forgot', new_password_reset_path %>
+<h1><%= t(".title") %></h1>
+<%= render partial: "form" %>
+<%= ma_forgot_password_link %>

data/config/locales/minimalist_authentication.en.yml

@@ -1,12 +1,38 @@
 en:
-  # controllers
   email_verifications:
     create:
       notice: Verification email sent to %{email}, follow the instructions to complete verification. Thank you!
   emails:
     update:
       notice: Email successfully updated
+  minimalist_authentication_mailer:
+    update_password:
+      opening: Please click the link below to update your password.
+      subject: Update Password
+    verify_email:
+      closing: If you did not request email verification you can safely ignore this message.
+      opening: Please click the link below to complete your email verification.
+      subject: Email Address Verification
+  password_resets:
+    new:
+      email:
+        placeholder: Enter your email address
+      instructions: Enter your verified email address, and we'll send you a link to reset your password.
+      submit: Send Reset Link
+      title: Reset Your Password
+    create:
+      alert: Please provide a valid email address.
+      notice: We've sent password reset instructions to %{email}. If you don't receive the email within a few minutes, please check your spam folder.
   passwords:
+    edit:
+      instructions: Please enter your new password.
+      password:
+        placeholder: New password
+      password_confirmation:
+        placeholder: Confirm password
+      submit: Reset Password
+      title: Reset Password
+    invalid_token: Your password reset link has expired. Please request a new one to continue.
     update:
       notice: Password successfully updated
   sessions:
@@ -14,13 +40,7 @@ en:
       alert: Couldn't log you in as %{identifier}
     destroy:
       notice: You have been logged out.
-
-  # mailers
-  minimalist_authentication_mailer:
-    update_password:
-      opening: Please click the link below to update your password.
-      subject: Update Password
-    verify_email:
-      closing: If you did not request email verification you can safely ignore this message.
-      opening: Please click the link below to complete your email verification.
-      subject: "Email Address Verification"
+    new:
+      forgot_password: Forgot password?
+      title: Sign In
+      submit: Sign In

data/config/routes.rb

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  resources :user, only: [] do
-    resource :password, only: %i[edit update]
-  end
-
-  resource :password_reset,     only: %i[new create]
-
+  resource :email_verification, only: %i[show new create]
   resource :email,              only: %i[edit update]
-  resource :email_verification, only: %i[new create show]
+  resource :password_reset,     only: %i[new create]
+  resource :password,           only: %i[edit update]
 end

data/lib/minimalist_authentication/configuration.rb

@@ -62,15 +62,19 @@ module MinimalistAuthentication
       self.logout_redirect_path     = :new_session_path
     end
 
+    # Clear the user_model class
+    def clear_user_model
+      @user_model = nil
+    end
+
+    # Display deprecation warning for email_prefix
     def email_prefix=(_)
       MinimalistAuthentication.deprecator.warn("The #email_prefix configuration setting is no longer supported.")
     end
 
     # Returns the user_model class
-    # Calling constantize on a string makes this work correctly with
-    # the Spring application preloader gem.
     def user_model
-      user_model_name.constantize
+      @user_model ||= user_model_name.constantize
     end
   end
 end

data/lib/minimalist_authentication/controller.rb

@@ -9,6 +9,8 @@ module MinimalistAuthentication
       # use skip_before_action to open up specific actions
       before_action :authorization_required
 
+      helper MinimalistAuthentication::ApplicationHelper
+
       helper_method :current_user, :logged_in?, :authorized?
     end
 

data/lib/minimalist_authentication/email_verification.rb

@@ -5,9 +5,31 @@ module MinimalistAuthentication
     extend ActiveSupport::Concern
 
     included do
-      before_save :clear_email_verification, if: ->(user) { user.email_changed? }
+      generates_token_for :email_verification, expires_in: 1.hour do
+        email
+      end
 
-      scope :email_verified, -> { where("LENGTH(email) > 2").where.not(email_verified_at: nil) }
+      before_save :clear_email_verification, if: :email_changed?
+
+      scope :with_verified_email, -> { where.not(email_verified_at: nil) }
+    end
+
+    module ClassMethods
+      def email_verified
+        MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+          Calling #email_verified is deprecated.
+          Call #with_verified_email instead.
+        MSG
+        with_verified_email
+      end
+
+      def find_by_verified_email(email:)
+        active.with_verified_email.find_by(email:)
+      end
+    end
+
+    def email_verified?
+      email.present? && email_verified_at.present?
     end
 
     def needs_email_set?
@@ -18,26 +40,22 @@ module MinimalistAuthentication
       email_verification_enabled? && email.present? && email_verified_at.blank?
     end
 
-    def email_verified?
-      email.present? && email_verified_at.present?
-    end
-
     def verify_email(token)
-      secure_update(token, email_verified_at: Time.zone.now)
+      touch(:email_verified_at) if token_owner?(:email_verification, token)
     end
 
     private
 
-    def request_email_enabled?
-      MinimalistAuthentication.configuration.request_email
+    def clear_email_verification
+      self.email_verified_at = nil
     end
 
     def email_verification_enabled?
       MinimalistAuthentication.configuration.verify_email
     end
 
-    def clear_email_verification
-      self.email_verified_at = nil
+    def request_email_enabled?
+      MinimalistAuthentication.configuration.request_email
     end
   end
 end

data/lib/minimalist_authentication/engine.rb

@@ -2,5 +2,10 @@
 
 module MinimalistAuthentication
   class Engine < ::Rails::Engine
+    isolate_namespace MinimalistAuthentication
+
+    config.to_prepare do
+      MinimalistAuthentication.configuration.clear_user_model
+    end
   end
 end

data/lib/minimalist_authentication/user.rb

@@ -11,6 +11,10 @@ module MinimalistAuthentication
     included do
       has_secure_password
 
+      generates_token_for :password_reset, expires_in: 1.hour do
+        password_salt.last(10)
+      end
+
       # Force validations for a blank password.
       attribute :password_required, :boolean, default: false
 
@@ -32,6 +36,8 @@ module MinimalistAuthentication
 
       # Active scope
       scope :active, ->(state = true) { where(active: state) }
+
+      delegate :password_minimum, to: :class
     end
 
     module ClassMethods
@@ -52,6 +58,9 @@ module MinimalistAuthentication
       def guest
         new(email: GUEST_USER_EMAIL).freeze
       end
+
+      # Minimum password length
+      def password_minimum = 12
     end
 
     # Called after a user is authenticated to determine if the user object should be returned.
@@ -94,9 +103,6 @@ module MinimalistAuthentication
       update_column(:last_logged_in_at, Time.current)
     end
 
-    # Minimum password length
-    def password_minimum = 12
-
     # Checks for password presence
     def password?
       password.present?
@@ -111,6 +117,11 @@ module MinimalistAuthentication
       end
     end
 
+    # Return true if the user matches the owner of the provided token.
+    def token_owner?(purpose, token)
+      self.class.find_by_token_for(purpose, token) == self
+    end
+
     # Require password for active users that either do no have a password hash
     # stored OR are attempting to set a new password. Set **password_required**
     # to true to force validations even when the password field is blank.

data/lib/minimalist_authentication/verifiable_token.rb

@@ -4,51 +4,33 @@ module MinimalistAuthentication
   module VerifiableToken
     extend ActiveSupport::Concern
 
-    TOKEN_EXPIRATION_HOURS = 6
-
-    # generate secure verification_token and record generation time
-    def regenerate_verification_token
-      update_token
-    end
-
-    def secure_update(token, attributes)
-      if matches_verification_token?(token)
-        update(attributes) && clear_token
-      else
-        errors.add(:base, "Verification token check failed")
-        false
-      end
+    included do
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        MinimalistAuthentication::VerifiableToken is no longer required.
+        You can safely remove the include from your user model.
+      MSG
     end
 
-    def matches_verification_token?(token)
-      token.present? && verification_token_valid? && secure_match?(token)
+    def matches_verification_token?(_token)
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #matches_verification_token? is deprecated.
+      MSG
     end
 
-    def verification_token_valid?
-      return false if verification_token.blank? || verification_token_generated_at.blank?
-
-      verification_token_generated_at > TOKEN_EXPIRATION_HOURS.hours.ago
-    end
-
-    private
-
-    def clear_token
-      update_token(token: nil, time: nil)
-    end
-
-    def update_token(token: self.class.generate_unique_secure_token, time: Time.now.utc)
-      update!(
-        verification_token:              token,
-        verification_token_generated_at: time
-      )
+    def regenerate_verification_token
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #regenerate_verification_token is deprecated and no longer generates tokens.
+        Call #generate_token_for with an argument of :password_reset or
+        :email_verification instead.
+      MSG
     end
 
-    # Compare the tokens in a time-constant manner, to mitigate timing attacks.
-    def secure_match?(token)
-      ActiveSupport::SecurityUtils.secure_compare(
-        ::Digest::SHA256.hexdigest(token),
-        ::Digest::SHA256.hexdigest(verification_token)
-      )
+    def verification_token
+      MinimalistAuthentication.deprecator.warn(<<-MSG.squish)
+        Calling #verification_token is deprecated and no longer returns a valid token.
+        Call #generate_token_for with an argument of :password_reset or
+        :email_verification instead.
+      MSG
     end
   end
 end

data/lib/minimalist_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MinimalistAuthentication
-  VERSION = "3.1.0"
+  VERSION = "3.2.0"
 end

data/lib/minimalist_authentication.rb

@@ -11,7 +11,11 @@ require "minimalist_authentication/sessions"
 require "minimalist_authentication/test_helper"
 
 module MinimalistAuthentication
-  def self.deprecator
-    @deprecator ||= ActiveSupport::Deprecation.new("4.0", name)
+  class << self
+    delegate :user_model, to: :configuration
+
+    def deprecator
+      @deprecator ||= ActiveSupport::Deprecation.new("4.0", name)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-10 00:00:00.000000000 Z
+date: 2024-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -60,6 +60,7 @@ files:
 - app/controllers/emails_controller.rb
 - app/controllers/password_resets_controller.rb
 - app/controllers/passwords_controller.rb
+- app/helpers/minimalist_authentication/application_helper.rb
 - app/mailers/application_mailer.rb
 - app/mailers/minimalist_authentication_mailer.rb
 - app/views/email_verifications/new.html.erb