passwordless 0.10.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c45a41b4be30c959c37b50ef8013f4055c97ae516e4b8297b4f56607836cc09b
-  data.tar.gz: 7b0c50e087c5be36e5e89476764a407767aee4851fcb38c0b744bd532be8e982
+  metadata.gz: b90e8f97825d92f0728154737c428d39cfecbedc9e02bbe6948d0861dd5e9c39
+  data.tar.gz: 2a5b288bf8c16004c6ec8fe7b8937e9f72496475e6e9af4e6a70c32a7a1d05dc
 SHA512:
-  metadata.gz: b35ef690ecd6b37106d785ccb71693606387a8fcc48d5ea115b9d035211b8225d551291d3c64abdb89517cb0ceea17d31807d40ef6f168a9f5df742fd27b8d65
-  data.tar.gz: 8d8ba39b3711905ea36f5f20c009a26b42bcea43ed1bd1185ac56c0053e7afdb6fdf786f123fa8c01b2c095ec3104637d5017791056960293869053ff0b248a3
+  metadata.gz: 2350958cc2cb4628a6242a6c86ef08b3962fef2ba12fd9ed5a1bf8727f9254fc61fb77e9fa946bb015ebfc98eb81563d1e56aeb1c40d1cbc2ef96e66af512de9
+  data.tar.gz: 5fed7a3d7541a302fa9d6fc802bd530002846ea8cc4dae2057d03fdd799d66263752c766578bd96a441ab584d539739fbe55a63f7e258c5a7e1b16fdecb9eb7a

data/README.md

@@ -4,7 +4,7 @@
   <br />
 </p>
 
-[![Travis](https://travis-ci.org/mikker/passwordless.svg?branch=master)](https://travis-ci.org/mikker/passwordless) [![Rubygems](https://img.shields.io/gem/v/passwordless.svg)](https://rubygems.org/gems/passwordless) [![codecov](https://codecov.io/gh/mikker/passwordless/branch/master/graph/badge.svg)](https://codecov.io/gh/mikker/passwordless) [![Ruby Style Guide](https://img.shields.io/badge/code_style-standard-brightgreen.svg)](https://github.com/testdouble/standard)
+[![CI](https://github.com/mikker/passwordless/actions/workflows/ci.yml/badge.svg)](https://github.com/mikker/passwordless/actions/workflows/ci.yml) [![Rubygems](https://img.shields.io/gem/v/passwordless.svg)](https://rubygems.org/gems/passwordless) [![codecov](https://codecov.io/gh/mikker/passwordless/branch/master/graph/badge.svg)](https://codecov.io/gh/mikker/passwordless)
 
 Add authentication to your Rails app without all the icky-ness of passwords.
 
@@ -26,6 +26,8 @@ Add authentication to your Rails app without all the icky-ness of passwords.
   * [Token and Session Expiry](#token-and-session-expiry)
   * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
   * [Claiming tokens](#claiming-tokens)
+  * [Supporting UUID primary keys](#supporting-uuid-primary-keys)
+* [Testing helpers](#testing-helpers)
 * [E-mail security](#e-mail-security)
 * [License](#license)
 
@@ -48,7 +50,7 @@ $ bin/rails passwordless:install:migrations
 
 Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one:
 
-```
+```sh
 $ bin/rails generate model User email
 ```
 
@@ -56,7 +58,10 @@ Then specify which field on your `User` record is the email field with:
 
 ```ruby
 class User < ApplicationRecord
-  validates :email, presence: true, uniqueness: { case_sensitive: false }
+  validates :email,
+            presence: true,
+            uniqueness: { case_sensitive: false },
+            format: { with: URI::MailTo::EMAIL_REGEXP }
 
   passwordless_with :email # <-- here!
 end
@@ -111,7 +116,9 @@ end
 
 ### Providing your own templates
 
-Override `passwordless`' bundled views by adding your own. `passwordless` has 2 action views and 1 mailer view:
+Override `passwordless`' bundled views by adding your own. You can manually copy the specific views that you need or copy them to your application with `rails generate passwordless:views`.
+
+`passwordless` has 2 action views and 1 mailer view:
 
 ```sh
 # the form where the user inputs their email address
@@ -131,6 +138,8 @@ If you'd like to let the user know whether or not a record was found, `@resource
 <% end %>
 ```
 
+Please note that, from a security standpoint, this is a **bad practice** because you'd be giving information about which users are registered on your system. It is recommended to use a single message similar to the default one: "If we found you in the system, we've sent you an email". The **best practice** is to never expose which emails are registered on your system.
+
 See [the bundled views](https://github.com/mikker/passwordless/tree/master/app/views/passwordless).
 
 ### Registering new users
@@ -177,7 +186,7 @@ By default, magic link will send by email. You can customize this method. For ex
 
 config/initializers/passwordless.rb
 
-```
+```ruby
 Passwordless.after_session_save = lambda do |session, request|
   # Default behavior is
   # Passwordless::Mailer.magic_link(session).deliver_now
@@ -195,7 +204,7 @@ Currently there is not an officially supported way to generate your own magic li
 
 However, you can accomplish this with the following snippet of code.
 
-```
+```ruby
 session = Passwordless::Session.new({
   authenticatable: @manager,
   user_agent: 'Command Line',
@@ -244,6 +253,9 @@ Passwordless.redirect_back_after_sign_in = true # When enabled the user will be
 Passwordless.expires_at = lambda { 1.year.from_now } # How long until a passwordless session expires.
 Passwordless.timeout_at = lambda { 1.hour.from_now } # How long until a magic link expires.
 
+# redirection session behavior
+Passwordless.redirect_to_response_options = {} # any allowed response_options for redirect_to can go in here
+
 # Default redirection paths
 Passwordless.success_redirect_path = '/' # When a user succeeds in logging in.
 Passwordless.failure_redirect_path = '/' # When a a login is failed for any reason.
@@ -319,7 +331,7 @@ config/initializers/passwordless.rb
 Passwordless.restrict_token_reuse = true
 ```
 
-#### Upgrading an existing Rails app
+#### Upgrading an existing Rails app to use claim token
 
 The simplest way to update your sessions table is with a single migration:
 
@@ -340,11 +352,55 @@ end
 ```
 </details>
 
+### Supporting UUID primary keys
+
+If your `users` table uses UUIDs for its primary keys, you will need to add a migration
+to change the type of `passwordless`' `authenticatable_id` field to match your primary key type (this will also involve dropping and recreating associated indices).
+
+Here is an example migration you can use:
+```ruby
+class SupportUuidInPasswordlessSessions < ActiveRecord::Migration[6.0]
+  def change
+    remove_index :passwordless_sessions, column: [:authenticatable_type, :authenticatable_id] if index_exists? :authenticatable_type, :authenticatable_id
+    remove_column :passwordless_sessions, :authenticatable_id
+    add_column :passwordless_sessions, :authenticatable_id, :uuid
+    add_index :passwordless_sessions, [:authenticatable_type, :authenticatable_id], name: 'authenticatable'
+  end
+end
+```
+
+Alternatively, you can use `add_reference` with `type: :uuid` in your migration (see docs [here](https://api.rubyonrails.org/classes/ActiveRecord/ConnectionAdapters/SchemaStatements.html#method-i-add_reference)).
+
+## Testing helpers
+
+To help with testing, a set of test helpers are provided.
+
+If you are using RSpec, add the following line to your `spec/rails_helper.rb` or
+`spec/spec_helper.rb` if `rails_helper.rb` does not exist:
+
+```ruby
+require "passwordless/test_helpers"
+```
+
+If you are using TestUnit, add this line to your `test/test_helper.rb`:
+
+```ruby
+require "passwordless/test_helpers"
+```
+
+
+Then in your controller, request, and system tests/specs, you can utilize the following methods:
+
+```ruby
+passwordless_sign_in(user) # signs you in as a user
+passwordless_sign_out # signs out user
+```
+
 ## E-mail security
 
 There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
 
-But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) [Reddit was compromised](https://thenextweb.com/hardfork/2018/01/05/reddit-bitcoin-cash-hack/) using this method.
+But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) [Reddit was compromised](https://thenextweb.com/hardfork/2018/01/05/reddit-bitcoin-cash-stolen-hack/) using this method.
 
 Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
 

data/app/controllers/passwordless/sessions_controller.rb

@@ -17,7 +17,7 @@ module Passwordless
 
     # post '/sign_in'
     #   Creates a new Session record then sends the magic link
-    #   renders sessions/create.html.erb.
+    #   redirects to sign in page with generic flash message.
     # @see Mailer#magic_link Mailer#magic_link
     def create
       @resource = find_authenticatable
@@ -31,7 +31,8 @@ module Passwordless
         end
       end
 
-      render
+      flash[:notice] = I18n.t('passwordless.sessions.create.email_sent_if_record_found')
+      redirect_to(sign_in_path)
     end
 
     # get '/sign_in/:token'
@@ -42,24 +43,25 @@ module Passwordless
     # @see ControllerHelpers#save_passwordless_redirect_location!
     def show
       # Make it "slow" on purpose to make brute-force attacks more of a hassle
+      redirect_to_options = Passwordless.redirect_to_response_options.dup
       BCrypt::Password.create(params[:token])
-      sign_in passwordless_session
+      sign_in(passwordless_session)
 
-      redirect_to passwordless_success_redirect_path
+      redirect_to(passwordless_success_redirect_path, redirect_to_options)
     rescue Errors::TokenAlreadyClaimedError
       flash[:error] = I18n.t(".passwordless.sessions.create.token_claimed")
-      redirect_to passwordless_failure_redirect_path
+      redirect_to(passwordless_failure_redirect_path, redirect_to_options)
     rescue Errors::SessionTimedOutError
       flash[:error] = I18n.t(".passwordless.sessions.create.session_expired")
-      redirect_to passwordless_failure_redirect_path
+      redirect_to(passwordless_failure_redirect_path, redirect_to_options)
     end
 
     # match '/sign_out', via: %i[get delete].
     #   Signs user out. Redirects to root_path
     # @see ControllerHelpers#sign_out
     def destroy
-      sign_out authenticatable_class
-      redirect_to passwordless_sign_out_redirect_path
+      sign_out(authenticatable_class)
+      redirect_to(passwordless_sign_out_redirect_path, Passwordless.redirect_to_response_options.dup)
     end
 
     protected

data/app/mailers/passwordless/mailer.rb

@@ -10,8 +10,7 @@ module Passwordless
     def magic_link(session)
       @session = session
 
-      @magic_link = send(Passwordless.mounted_as)
-                      .token_sign_in_url(session.token)
+      @magic_link = send(Passwordless.mounted_as).token_sign_in_url(session.token)
 
       email_field = @session.authenticatable.class.passwordless_email_field
       mail(

data/app/models/passwordless/session.rb

@@ -4,10 +4,13 @@ module Passwordless
   # The session responsible for holding the connection between the record
   # trying to log in and the unique tokens.
   class Session < ApplicationRecord
-    belongs_to :authenticatable,
-      polymorphic: true, inverse_of: :passwordless_sessions
+    belongs_to(
+      :authenticatable,
+      polymorphic: true,
+      inverse_of: :passwordless_sessions
+    )
 
-    validates \
+    validates(
       :authenticatable,
       :timeout_at,
       :expires_at,
@@ -15,16 +18,19 @@ module Passwordless
       :remote_addr,
       :token,
       presence: true
+    )
 
     before_validation :set_defaults
 
-    scope :available, lambda {
-      where("expires_at > ?", Time.current)
-    }
+    scope(
+      :available,
+      lambda { where("expires_at > ?", Time.current) }
+    )
 
     def self.valid
       available
     end
+
     class << self
       deprecate :valid, deprecator: SessionValidDeprecation
     end

data/app/views/passwordless/sessions/new.html.erb

@@ -1,5 +1,5 @@
-<%= form_for @session, url: send(Passwordless.mounted_as).sign_in_path do |f| %>
+<%= form_with model: @session, url: send(Passwordless.mounted_as).sign_in_path, data: { turbo: 'false' } do |f| %>
   <% email_field_name = :"passwordless[#{@email_field}]" %>
-  <%= text_field_tag email_field_name, params.fetch(email_field_name, nil) %>
+  <%= text_field_tag email_field_name, params.fetch(email_field_name, nil), required: true %>
   <%= f.submit I18n.t('passwordless.sessions.new.submit') %>
 <% end %>

data/config/routes.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 Passwordless::Engine.routes.draw do
-  get "/sign_in", to: "sessions#new", as: :sign_in
-  post "/sign_in", to: "sessions#create"
-  get "/sign_in/:token", to: "sessions#show", as: :token_sign_in
-  match "/sign_out", to: "sessions#destroy", via: %i[get delete], as: :sign_out
+  get("/sign_in", to: "sessions#new", as: :sign_in)
+  post("/sign_in", to: "sessions#create")
+  get("/sign_in/:token", to: "sessions#show", as: :token_sign_in)
+  match("/sign_out", to: "sessions#destroy", via: %i[get delete], as: :sign_out)
 end

data/db/migrate/20171104221735_create_passwordless_sessions.rb

@@ -2,18 +2,19 @@
 
 class CreatePasswordlessSessions < ActiveRecord::Migration[5.1]
   def change
-    create_table :passwordless_sessions do |t|
+    create_table(:passwordless_sessions) do |t|
       t.belongs_to(
         :authenticatable,
         polymorphic: true,
         index: {name: "authenticatable"}
       )
-      t.datetime :timeout_at, null: false
-      t.datetime :expires_at, null: false
-      t.datetime :claimed_at
-      t.text :user_agent, null: false
-      t.string :remote_addr, null: false
-      t.string :token, null: false
+
+      t.datetime(:timeout_at, null: false)
+      t.datetime(:expires_at, null: false)
+      t.datetime(:claimed_at)
+      t.text(:user_agent, null: false)
+      t.string(:remote_addr, null: false)
+      t.string(:token, null: false)
 
       t.timestamps
     end

data/lib/generators/passwordless/views_generator.rb

@@ -0,0 +1,15 @@
+require 'rails/generators'
+
+module Passwordless
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      source_root File.expand_path('../../../app/views/passwordless', __dir__)
+
+      def install
+        copy_file 'mailer/magic_link.text.erb', 'app/views/passwordless/mailer/magic_link.text.erb'
+        copy_file 'sessions/new.html.erb', 'app/views/passwordless/sessions/new.html.erb'
+        copy_file 'sessions/create.html.erb', 'app/views/passwordless/sessions/create.html.erb'
+      end
+    end
+  end
+end

data/lib/passwordless/controller_helpers.rb

@@ -39,6 +39,7 @@ module Passwordless
 
       authenticate_by_session(authenticatable_class)
     end
+
     deprecate :authenticate_by_cookie, deprecator: CookieDeprecation
 
     def upgrade_passwordless_cookie(authenticatable_class)
@@ -51,7 +52,7 @@ module Passwordless
       return unless (record = authenticatable_class.find_by(id: authenticatable_id))
       new_session = build_passwordless_session(record).tap { |s| s.save! }
 
-      sign_in new_session
+      sign_in(new_session)
 
       new_session.authenticatable
     end
@@ -73,20 +74,25 @@ module Passwordless
     # to sign in
     # @return [ActiveRecord::Base] the record that is passed in.
     def sign_in(record)
-      passwordless_session =
-        if record.is_a?(Passwordless::Session)
-          record
-        else
-          warn "Passwordless::ControllerHelpers#sign_in with authenticatable " \
+      passwordless_session = if record.is_a?(Passwordless::Session)
+        record
+      else
+        warn(
+          "Passwordless::ControllerHelpers#sign_in with authenticatable " \
             "(`#{record.class}') is deprecated. Falling back to creating a " \
             "new Passwordless::Session"
-          build_passwordless_session(record).tap { |s| s.save! }
-        end
+        )
+        build_passwordless_session(record).tap { |s| s.save! }
+      end
 
       passwordless_session.claim! if Passwordless.restrict_token_reuse
 
       raise Passwordless::Errors::SessionTimedOutError if passwordless_session.timed_out?
 
+      old_session = session.dup.to_hash
+      reset_session if defined?(reset_session) # allow usage outside controllers
+      old_session.each_pair { |k, v| session[k.to_sym] = v }
+
       key = session_key(passwordless_session.authenticatable_type)
       session[key] = passwordless_session.id
 
@@ -105,9 +111,9 @@ module Passwordless
       key = cookie_name(authenticatable_class)
       cookies.encrypted.permanent[key] = {value: nil}
       cookies.delete(key)
-      # /deprecated
 
-      reset_session
+      # /deprecated
+      reset_session if defined?(reset_session) # allow usage outside controllers
       true
     end
 

data/lib/passwordless/engine.rb

@@ -7,15 +7,17 @@ module Passwordless
 
     config.to_prepare do
       require "passwordless/router_helpers"
+
       ActionDispatch::Routing::Mapper.include RouterHelpers
       require "passwordless/model_helpers"
+
       ActiveRecord::Base.extend ModelHelpers
       require "passwordless/controller_helpers"
+
     end
 
     config.before_initialize do |app|
-      app.config.i18n.load_path +=
-        Dir[Engine.root.join("config", "locales", "*.yml")]
+      app.config.i18n.load_path += Dir[Engine.root.join("config", "locales", "*.yml")]
     end
   end
 end

data/lib/passwordless/errors.rb

@@ -3,9 +3,11 @@
 module Passwordless
   module Errors
     # Raise this exception when a session is expired.
-    class SessionTimedOutError < StandardError; end
+    class SessionTimedOutError < StandardError
+    end
 
     # Raise this exception when the token has been previously claimed
-    class TokenAlreadyClaimedError < StandardError; end
+    class TokenAlreadyClaimedError < StandardError
+    end
   end
 end

data/lib/passwordless/model_helpers.rb

@@ -8,9 +8,11 @@ module Passwordless
     #   field name (e.g. `:email`)
     # @param field [string] email submitted by user.
     def passwordless_with(field)
-      has_many :passwordless_sessions,
+      has_many(
+        :passwordless_sessions,
         class_name: "Passwordless::Session",
         as: :authenticatable
+      )
 
       define_singleton_method(:passwordless_email_field) { field }
     end

data/lib/passwordless/router_helpers.rb

@@ -20,8 +20,10 @@ module Passwordless
       mount_at = at || resource.to_s
       mount_as = as || resource.to_s
       mount(
-        Passwordless::Engine, at: mount_at, as: mount_as,
-                              defaults: {authenticatable: resource.to_s.singularize}
+        Passwordless::Engine,
+        at: mount_at,
+        as: mount_as,
+        defaults: {authenticatable: resource.to_s.singularize}
       )
 
       Passwordless.mounted_as = mount_as

data/lib/passwordless/test_helpers.rb

@@ -0,0 +1,43 @@
+module Passwordless
+  module TestHelpers
+    module TestCase
+      def passwordless_sign_out
+        delete Passwordless::Engine.routes.url_helpers.sign_out_path
+        follow_redirect!
+      end
+
+      def passwordless_sign_in(resource)
+        session = Passwordless::Session.create!(authenticatable: resource, user_agent: "TestAgent", remote_addr: "unknown")
+        get Passwordless::Engine.routes.url_helpers.token_sign_in_path(session.token)
+        follow_redirect!
+      end
+    end
+
+    module SystemTestCase
+      def passwordless_sign_out
+        visit Passwordless::Engine.routes.url_helpers.sign_out_path
+      end
+
+      def passwordless_sign_in(resource)
+        session = Passwordless::Session.create!(authenticatable: resource, user_agent: "TestAgent", remote_addr: "unknown")
+        visit Passwordless::Engine.routes.url_helpers.token_sign_in_path(session.token)
+      end
+    end
+  end
+end
+
+if defined?(ActiveSupport::TestCase)
+  ActiveSupport::TestCase.send(:include, ::Passwordless::TestHelpers::TestCase)
+end
+
+if defined?(ActionDispatch::SystemTestCase)
+  ActionDispatch::SystemTestCase.send(:include, ::Passwordless::TestHelpers::SystemTestCase)
+end
+
+if defined?(RSpec)
+  RSpec.configure do |config|
+    config.include ::Passwordless::TestHelpers::TestCase, type: :request
+    config.include ::Passwordless::TestHelpers::TestCase, type: :controller
+    config.include ::Passwordless::TestHelpers::SystemTestCase, type: :system
+  end
+end

data/lib/passwordless/version.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
 module Passwordless
-  VERSION = "0.10.0" # :nodoc:
+  # :nodoc:
+  VERSION = "0.12.0"
 end

data/lib/passwordless.rb

@@ -16,6 +16,7 @@ module Passwordless
 
   mattr_accessor(:expires_at) { lambda { 1.year.from_now } }
   mattr_accessor(:timeout_at) { lambda { 1.hour.from_now } }
+  mattr_accessor(:redirect_to_response_options) { {} }
   mattr_accessor(:success_redirect_path) { "/" }
   mattr_accessor(:failure_redirect_path) { "/" }
   mattr_accessor(:sign_out_redirect_path) { "/" }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordless
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Mikkel Malmberg
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-07 00:00:00.000000000 Z
+date: 2023-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -42,14 +42,14 @@ dependencies:
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.4.1
 - !ruby/object:Gem::Dependency
@@ -96,17 +96,18 @@ files:
 - app/models/passwordless/application_record.rb
 - app/models/passwordless/session.rb
 - app/views/passwordless/mailer/magic_link.text.erb
-- app/views/passwordless/sessions/create.html.erb
 - app/views/passwordless/sessions/new.html.erb
 - config/locales/en.yml
 - config/routes.rb
 - db/migrate/20171104221735_create_passwordless_sessions.rb
+- lib/generators/passwordless/views_generator.rb
 - lib/passwordless.rb
 - lib/passwordless/controller_helpers.rb
 - lib/passwordless/engine.rb
 - lib/passwordless/errors.rb
 - lib/passwordless/model_helpers.rb
 - lib/passwordless/router_helpers.rb
+- lib/passwordless/test_helpers.rb
 - lib/passwordless/url_safe_base_64_generator.rb
 - lib/passwordless/version.rb
 homepage: https://github.com/mikker/passwordless
@@ -128,7 +129,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.4.14
 signing_key:
 specification_version: 4
 summary: Add authentication to your app without all the ickyness of passwords.

data/app/views/passwordless/sessions/create.html.erb

@@ -1 +0,0 @@
-<p><%= I18n.t('passwordless.sessions.create.email_sent_if_record_found') %></p>