no_password_auth 0.2.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21b0742b67d08d1694998ce4a0cb4c5460eaa07d28b4481bd2f081580dfe2cad
-  data.tar.gz: 2148a8faa5cccc2d52f33708d862f116d69b832a1043dfc18aa9900d1c9a0ae3
+  metadata.gz: 5745ba598e70ea21003c8df138f386b06d011bc0d259832dc92cbebfde29c7d6
+  data.tar.gz: c574de1146ad1b918754f9d1a67fe40db5178128eb3c3e56ec1d22d7426e837a
 SHA512:
-  metadata.gz: 395f222367f5bfe903e1947e2fb4246ecad6c11c904679dc78ed3dc43e0a751066aa6cce9f016d2fd6e6aca396321898d240775ba1348a43aa1716c11fcdb1a3
-  data.tar.gz: d8beccec2e849f9a407ddfd27850e4a2c1568f4189564424578e669d5030c39f1b25653f324c157c93a4cab5daffa4908a59e5042ae04ac3213bdba11a5bcca0
+  metadata.gz: 97d30412f3f72b245734accb362d29bf90bb1ae23b35b28cc3557b9422b904cdad195c8508958a00a41ea4790ab42a248b100cb43db3df057496feb15284983c
+  data.tar.gz: b05a590cb97582b831ef817e090ac17e4139c7ccae13f0806569db4d4c565e9cc082f1a203748ace6a5bf6ed1240976cc5a20a8c0cec723152df2dc7ef6fa848

data/README-ES.md

@@ -144,16 +144,15 @@ El flujo normal para iniciar sesión consta de dos pasos, una página donde se i
 
 Este callback va a ser llamado en cada intento de iniciar sesión, ya sea con código o con link mágico, independientemente de si el inicio de sesión es exitoso o no.
 ```ruby
-after_sign_in!(signed_in, by_url, return_url)
+after_sign_in!(current_session, by_url)
 ```
-El callback recibe 3 parámetros.
-- `signed_in`: indica si fue exitoso el inicio de sesión o no, su valor es booleano.
+El callback recibe dos parámetros.
+- `current_session`: El objecto que representa a la sesión activa.
 - `by_url`: indica como se inentó iniciar sesión, ya sea por el link mágico o con el código introducido manualmente, su valor es booleano.
-- `return_url`: Contiene la URL a donde redireccionar al usuario en caso de que el inicio de sesión sea exitoso, su valor es una cadena de texto.
 
 El controlador `SessionConfirmationsController` espera como respuesta del callback los siguientes posibles valores:
 - `nil`: con el cual se indica que se ejecutó el callback y que regresa el control del flujo al controlador.
-- `render` o `redirect_to`: en este caso le indicamos al controlador que el callback toma el control del flujo.
+- `redirect path`: es una ruta en forma de string que indica que el callback se ejecutó y espera una redirección a esa ruta específica.
 
 Podemos implementar el callback `after_sign_in!` creando el archivo `app/controllers/no_password/session_confirmations_controller.rb` en nuestra aplicación principal,
 donde cargamos el controlador original desde el engine de NoPassword y con `class_eval` le inyectamos el método.
@@ -162,12 +161,12 @@ donde cargamos el controlador original desde el engine de NoPassword y con `clas
 load NoPassword::Engine.root.join("app", "controllers", "no_password", "session_confirmations_controller.rb")
 
 NoPassword::SessionConfirmationsController.class_eval do
-  def after_sign_in!(signed_in, by_url)
+  def after_sign_in!(current_session, by_url)
     return do_something_different if signed_in # Do something different if user signed in successfully
     return nil if !by_url # Return control if failed to sign in with magic link
 
     flash[:alert] = "Your code is not valid"
-    redirect_to main_app.demo_path # Redirect somewhere else if token is invalid
+    main_app.demo_path # Redirect somewhere else if token is invalid
   end
 end
 ```

data/README.md

@@ -145,16 +145,15 @@ This is an example of a custom flow that mimics a Single Page flow.
 
 The callback is called on every intent to start a session, whether the sign was successful or not.
 ```ruby
-after_sign_in!(signed_in, by_url, return_url)
+after_sign_in!(current_session, by_url)
 ```
-It receives three parameters.
-- `signed_in`: A boolean value that indicates if the user succeeded in getting a session.
+It receives two parameters.
+- `current_session`: An object that represents the active session.
 - `by_url`: A boolean value that indicates if the login happens with the magic link or entered token manually.
-- `return_url`: A string value with the return path if the user succeeded in getting a session.
 
 The `SessionConfirmationsController` controller expects any of the following possible values from the callback.
 - `nil`: indicates callback was executed but is returning flow control to the controller.
-- `render` o `redirect_to`: indicates callback was executed and is taking over sign in flow.
+- `redirect path`: it is a string path that indicates callback was executed and want to redirect to specific path.
 
 `after_sign_in!` callback is implemented by creating a `app/controllers/no_password/session_confirmations_controller.rb`  file in your application. The original controller from NoPassword engine is loaded, and then the callback is added with a `class_eval`.
 
@@ -162,12 +161,12 @@ The `SessionConfirmationsController` controller expects any of the following pos
 load NoPassword::Engine.root.join("app", "controllers", "no_password", "session_confirmations_controller.rb")
 
 NoPassword::SessionConfirmationsController.class_eval do
-  def after_sign_in!(signed_in, by_url)
+  def after_sign_in!(current_session, by_url)
     return do_something_different if signed_in # Do something different if user signed in successfully
     return nil if !by_url # Return control if failed to sign in with magic link
 
     flash[:alert] = "Your code is not valid"
-    redirect_to main_app.demo_path # Redirect somewhere else if token is invalid
+    main_app.demo_path # Redirect somewhere else if token is invalid
   end
 end
 ```

data/app/controllers/no_password/application_controller.rb

@@ -1,4 +1,5 @@
 module NoPassword
   class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
   end
 end

data/app/controllers/no_password/session_confirmations_controller.rb

@@ -6,16 +6,18 @@ module NoPassword
     include NoPassword::WebTokens
 
     def edit
-      if params[:token].present?
-        token = verify_token(params[:token])
+      return unless params[:token].present?
 
-        sign_in_session(token, true)
-      end
+      token = verify_token(params[:token])
+      redirect_url = sign_in_session(token, by_url: true)
+
+      redirect_to(redirect_url) if redirect_url.present?
     end
 
     def update
-      result = sign_in_session(params[:token])
-      return result if result.present?
+      redirect_url = sign_in_session(params[:token])
+
+      return redirect_to(redirect_url) if redirect_url.present?
 
       response.status = :unprocessable_entity
       render turbo_stream: turbo_stream.update("notifications", partial: "notification")
@@ -23,19 +25,25 @@ module NoPassword
 
     private
 
-    def sign_in_session(token, by_url = false)
+    def claim_session(token)
       current_session = SessionManager.new.claim(token)
+      if current_session.present?
+        save_session_to_cookie(current_session)
+      else
+        flash.now.alert = t("flash.update.invalid_code.alert")
+      end
 
-      flash.now.alert = t("flash.update.invalid_code.alert") if current_session.blank?
+      current_session
+    end
+
+    def sign_in_session(token, by_url: false)
+      current_session = claim_session(token)
 
-      result = if respond_to?(:after_sign_in!)
-        after_sign_in!(current_session.present?, by_url, current_session&.return_url)
+      if respond_to?(:after_sign_in!)
+        after_sign_in!(current_session, by_url)
       elsif current_session.present?
-        save_session_to_cookie(current_session)
-        redirect_to(current_session.return_url || main_app.root_path)
+        current_session.return_url || main_app.root_path
       end
-
-      result if result.present?
     end
 
     def save_session_to_cookie(current_session, key = nil, data = nil)

data/app/controllers/no_password/sessions_controller.rb

@@ -36,7 +36,7 @@ module NoPassword
       referrer = CGI.unescape(return_to)
       return nil if referrer.blank?
 
-      referrer.include?(no_password.new_session_path) || referrer.include?(no_password.edit_session_confirmations_path) ? nil : referrer
+      (referrer.include?(no_password.new_session_path) || referrer.include?(no_password.edit_session_confirmations_path)) ? nil : referrer
     end
 
     def sign_out(key = nil)

data/app/helpers/no_password/no_password_helper.rb

@@ -1,11 +1,9 @@
 module NoPassword
   module NoPasswordHelper
-    def no_password_importmap_tags(entry_point = "application", shim: true)
+    def no_password_importmap_tags(entry_point = "application")
       safe_join [
         javascript_inline_importmap_tag(NoPassword.configuration.importmap.to_json(resolver: self)),
         javascript_importmap_module_preload_tags(NoPassword.configuration.importmap),
-        (javascript_importmap_shim_nonce_configuration_tag if shim),
-        (javascript_importmap_shim_tag if shim),
         javascript_import_module_tag(entry_point)
       ].compact, "\n"
     end

data/config/brakeman.ignore

@@ -0,0 +1,52 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "310eb4d856343cbe3a4b5357ce331265a65360c7c51cef559f077eaa96015e95",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "app/controllers/no_password/session_confirmations_controller.rb",
+      "line": 14,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to(sign_in_session(verify_token(params[:token]), :by_url => true))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "NoPassword::SessionConfirmationsController",
+        "method": "edit"
+      },
+      "user_input": "params[:token]",
+      "confidence": "Weak",
+      "cwe_id": [
+        601
+      ],
+      "note": "It is ok,redirect is calculated."
+    },
+    {
+      "warning_type": "Redirect",
+      "warning_code": 18,
+      "fingerprint": "6a097716f95b29bd0948be5684aa38582be64c76f258032743ff949a8abdc064",
+      "check_name": "Redirect",
+      "message": "Possible unprotected redirect",
+      "file": "app/controllers/no_password/session_confirmations_controller.rb",
+      "line": 20,
+      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
+      "code": "redirect_to(sign_in_session(params[:token]))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "NoPassword::SessionConfirmationsController",
+        "method": "update"
+      },
+      "user_input": "params[:token]",
+      "confidence": "Weak",
+      "cwe_id": [
+        601
+      ],
+      "note": "It is ok, redirect is calculated."
+    }
+  ],
+  "updated": "2023-08-10 11:37:09 -0600",
+  "brakeman_version": "6.0.1"
+}

data/config/locales/en/mailers.en.yml

@@ -12,10 +12,10 @@ en:
     default_from: no-reply@aoorora.com
 
     send_token:
-      subject: Here is your temporary login token
+      subject: "Aoorora: Your temporary session code is here"
       greetings: Hello!
-      instructions_1: You requested a login token to start a new session. Here is your code. You can copy/paste the code into our website. Please don't share this code to anyone.
-      instructions_2: Or use this button to start a new session. It will open a new browser window.
+      instructions_1: You are receiving this email because you requested a login code to begin a demo session in Aoorora. Please don't share this code with anyone else.
+      instructions_2: Click this button to start a new session. It will open a new browser window.
       instructions_2_text: Or use the follwing link to start a new session. Copy and paste it your browser.
       start_session: Continue to your session
       instructions_3: If you did not request this email, please ignore and delete it. Do not resend or share it with other people.

data/config/locales/es/flash.es.yml

@@ -4,7 +4,7 @@ es:
       invalid_code:
         alert:
           title: Código inválido
-          description: Revise su código no es válido o ya expiró. Puede solicitar uno nuevo.
+          description: Revise su código, es válido o ya expiró. Puede solicitar uno nuevo.
       session:
         alert:
           title: No existe sesión activa

data/db/migrate/20211202211706_create_no_password_sessions.rb

@@ -1,7 +1,6 @@
 class CreateNoPasswordSessions < ActiveRecord::Migration[7.0]
   def change
     create_table :no_password_sessions, if_not_exists: true do |t|
-
       t.timestamp :expires_at
       t.timestamp :claimed_at
       t.string :token, null: false

data/lib/no_password/version.rb

@@ -1,3 +1,3 @@
 module NoPassword
-  VERSION = "0.2.1"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: no_password_auth
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Mario Alberto Chávez
@@ -10,78 +10,84 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-08 00:00:00.000000000 Z
+date: 2024-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.1.0
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 7.0.0
+        version: 7.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.1.0
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 7.0.0
+        version: 7.2.0
 - !ruby/object:Gem::Dependency
   name: turbo-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: stimulus-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.3.0
 - !ruby/object:Gem::Dependency
   name: importmap-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: tailwindcss-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: standard
   requirement: !ruby/object:Gem::Requirement
@@ -170,6 +176,7 @@ files:
 - app/views/no_password/sessions/new.html.erb
 - app/views/no_password/sessions_mailer/send_token.html.erb
 - app/views/no_password/sessions_mailer/send_token.text.erb
+- config/brakeman.ignore
 - config/initializers/importmap.rb
 - config/locales/en/flash.en.yml
 - config/locales/en/forms.en.yml
@@ -220,7 +227,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.6
 signing_key:
 specification_version: 4
 summary: Passwordless Ruby on Rails engine.