RubyGems - passwordless - Versions diffs - 0.11.0 → 1.0.0.beta1 - Mend

passwordless 0.11.0 → 1.0.0.beta1

Files changed (27) hide show

checksums.yaml +4 -4
data/README.md +112 -189
data/Rakefile +7 -7
data/app/controllers/passwordless/sessions_controller.rb +121 -39
data/app/mailers/passwordless/mailer.rb +13 -11
data/app/models/passwordless/session.rb +25 -12
data/app/views/passwordless/mailer/sign_in.text.erb +1 -0
data/app/views/passwordless/sessions/new.html.erb +8 -4
data/app/views/passwordless/sessions/show.html.erb +5 -0
data/config/locales/en.yml +18 -6
data/config/routes.rb +0 -4
data/db/migrate/20171104221735_create_passwordless_sessions.rb +1 -3
data/lib/generators/passwordless/views_generator.rb +5 -5
data/lib/passwordless/config.rb +71 -0
data/lib/passwordless/controller_helpers.rb +31 -69
data/lib/passwordless/engine.rb +2 -6
data/lib/passwordless/errors.rb +4 -0
data/lib/passwordless/router_helpers.rb +24 -10
data/lib/passwordless/short_token_generator.rb +9 -0
data/lib/passwordless/test_helpers.rb +19 -9
data/lib/passwordless/token_digest.rb +18 -0
data/lib/passwordless/version.rb +1 -1
data/lib/passwordless.rb +5 -18
metadata +12 -52
data/app/views/passwordless/mailer/magic_link.text.erb +0 -1
data/app/views/passwordless/sessions/create.html.erb +0 -1
data/lib/passwordless/url_safe_base_64_generator.rb +0 -15

data/app/controllers/passwordless/sessions_controller.rb CHANGED Viewed

@@ -7,71 +7,108 @@ module Passwordless
   class SessionsController < ApplicationController
     include ControllerHelpers
-    # get '/sign_in'
+    helper_method :email_field
+    # get '/:resource/sign_in'
     #   Assigns an email_field and new Session to be used by new view.
     #   renders sessions/new.html.erb.
     def new
-      @email_field = email_field
       @session = Session.new
     end
-    # post '/sign_in'
+    # post '/:resource/sign_in'
     #   Creates a new Session record then sends the magic link
-    #   renders sessions/create.html.erb.
-    # @see Mailer#magic_link Mailer#magic_link
+    #   redirects to sign in page with generic flash message.
     def create
-      @resource = find_authenticatable
-      session = build_passwordless_session(@resource)
+      unless @resource = find_authenticatable
+        raise(
+          ActiveRecord::RecordNotFound,
+          "Couldn't find #{authenticatable_type} with email #{passwordless_session_params[email_field]}"
+        )
+      end
+      @session = build_passwordless_session(@resource)
-      if session.save
-        if Passwordless.after_session_save.arity == 2
-          Passwordless.after_session_save.call(session, request)
+      if @session.save
+        if Passwordless.config.after_session_save.arity == 2
+          Passwordless.config.after_session_save.call(@session, request)
         else
-          Passwordless.after_session_save.call(session)
+          Passwordless.config.after_session_save.call(@session)
         end
-        render :create, status: :ok
+        redirect_to(
+          url_for(id: @session.id, action: "show"),
+          flash: {notice: I18n.t("passwordless.sessions.create.email_sent")}
+        )
       else
-        render :create, status: :unprocessable_entity
+        flash[:error] = I18n.t("passwordless.sessions.create.error")
+        render(:new, status: :unprocessable_entity)
       end
+    rescue ActiveRecord::RecordNotFound
+      flash[:error] = I18n.t("passwordless.sessions.create.not_found")
+      render(:new, status: :not_found)
     end
-    # get '/sign_in/:token'
+    # get "/:resource/sign_in/:id"
+    #   Shows the form for confirming a Session record.
+    #   renders sessions/show.html.erb.
+    def show
+      @session = find_session
+    end
+    # patch "/:resource/sign_in/:id"
+    #   User submits the form for confirming a Session record.
     #   Looks up session record by provided token. Signs in user if a match
     #   is found. Redirects to either the user's original destination
-    #   or _root_path_
+    #   or _Passwordless.config.success_redirect_path_.
+    #
     # @see ControllerHelpers#sign_in
     # @see ControllerHelpers#save_passwordless_redirect_location!
-    def show
-      # Make it "slow" on purpose to make brute-force attacks more of a hassle
-      BCrypt::Password.create(params[:token])
-      sign_in(passwordless_session)
+    def update
+      @session = find_session
-      redirect_to(passwordless_success_redirect_path)
-    rescue Errors::TokenAlreadyClaimedError
-      flash[:error] = I18n.t(".passwordless.sessions.create.token_claimed")
-      redirect_to(passwordless_failure_redirect_path)
-    rescue Errors::SessionTimedOutError
-      flash[:error] = I18n.t(".passwordless.sessions.create.session_expired")
-      redirect_to(passwordless_failure_redirect_path)
+      artificially_slow_down_brute_force_attacks(passwordless_session_params[:token])
+      authenticate_and_sign_in(@session, passwordless_session_params[:token])
+    end
+    # get "/:resource/sign_in/:id/:token"
+    #   User visits the link sent to them via email.
+    #   Looks up session record by provided token. Signs in user if a match
+    #   is found. Redirects to either the user's original destination
+    #   or _Passwordless.config.success_redirect_path_.
+    #
+    # @see ControllerHelpers#sign_in
+    # @see ControllerHelpers#save_passwordless_redirect_location!
+    def confirm
+      # Some email clients will visit links in emails to check if they are
+      # safe. We don't want to sign in the user in that case.
+      return head(:ok) if request.head?
+      @session = find_session
+      artificially_slow_down_brute_force_attacks(params[:token])
+      authenticate_and_sign_in(@session, params[:token])
     end
-    # match '/sign_out', via: %i[get delete].
+    # match '/:resource/sign_out', via: %i[get delete].
     #   Signs user out. Redirects to root_path
     # @see ControllerHelpers#sign_out
     def destroy
       sign_out(authenticatable_class)
-      redirect_to(passwordless_sign_out_redirect_path)
+      redirect_to(passwordless_sign_out_redirect_path, Passwordless.config.redirect_to_response_options.dup)
     end
     protected
     def passwordless_sign_out_redirect_path
-      Passwordless.sign_out_redirect_path
+      Passwordless.config.sign_out_redirect_path
     end
     def passwordless_failure_redirect_path
-      Passwordless.failure_redirect_path
+      Passwordless.config.failure_redirect_path
     end
     def passwordless_query_redirect_path
@@ -82,32 +119,54 @@ module Passwordless
     end
     def passwordless_success_redirect_path
-      return Passwordless.success_redirect_path unless Passwordless.redirect_back_after_sign_in
+      return Passwordless.config.success_redirect_path unless Passwordless.config.redirect_back_after_sign_in
       session_redirect_url = reset_passwordless_redirect_location!(authenticatable_class)
-      passwordless_query_redirect_path || session_redirect_url || Passwordless.success_redirect_path
+      passwordless_query_redirect_path || session_redirect_url || Passwordless.config.success_redirect_path
     end
     private
+    def artificially_slow_down_brute_force_attacks(token)
+      # Make it "slow" on purpose to make brute-force attacks more of a hassle
+      BCrypt::Password.create(token)
+    end
+    def authenticate_and_sign_in(session, token)
+      if session.authenticate(token)
+        sign_in(session)
+        redirect_to(passwordless_success_redirect_path, status: :see_other, **redirect_to_options)
+      else
+        flash[:error] = I18n.t("passwordless.sessions.errors.invalid_token")
+        render(status: :forbidden, action: "show")
+      end
+    rescue Errors::TokenAlreadyClaimedError
+      flash[:error] = I18n.t("passwordless.sessions.errors.token_claimed")
+      redirect_to(passwordless_failure_redirect_path, status: :see_other, **redirect_to_options)
+    rescue Errors::SessionTimedOutError
+      flash[:error] = I18n.t("passwordless.sessions.errors.session_expired")
+      redirect_to(passwordless_failure_redirect_path, status: :see_other, **redirect_to_options)
+    end
     def authenticatable
       params.fetch(:authenticatable)
     end
-    def authenticatable_classname
+    def authenticatable_type
       authenticatable.to_s.camelize
     end
     def authenticatable_class
-      authenticatable_classname.constantize
+      authenticatable_type.constantize
     end
-    def email_field
-      authenticatable_class.passwordless_email_field
+    def find_session
+      Session.find_by!(id: params[:id], authenticatable_type: authenticatable_type)
     end
     def find_authenticatable
-      email = params[:passwordless][email_field].downcase.strip
+      email = passwordless_session_params[email_field].downcase.strip
       if authenticatable_class.respond_to?(:fetch_resource_for_passwordless)
         authenticatable_class.fetch_resource_for_passwordless(email)
@@ -116,11 +175,34 @@ module Passwordless
       end
     end
+    def email_field
+      authenticatable_class.passwordless_email_field
+    rescue NoMethodError => e
+      raise(
+        MissingEmailFieldError,
+        <<~MSG
+          undefined method `passwordless_email_field' for #{authenticatable_type}
+                  Remember to add something like `passwordless_with :email` to you model
+        MSG
+          .strip_heredoc,
+        caller[1..-1]
+      )
+    end
+    def redirect_to_options
+      @redirect_to_options ||= (Passwordless.config.redirect_to_response_options.dup || {})
+    end
     def passwordless_session
       @passwordless_session ||= Session.find_by!(
-        authenticatable_type: authenticatable_classname,
-        token: params[:token]
+        id: params[:id],
+        authenticatable_type: authenticatable_type
       )
     end
+    def passwordless_session_params
+      params.require(:passwordless).permit(:token, authenticatable_class.passwordless_email_field)
+    end
   end
 end

data/app/mailers/passwordless/mailer.rb CHANGED Viewed

@@ -2,20 +2,22 @@
 module Passwordless
   # The mailer responsible for sending Passwordless' mails.
-  class Mailer < Passwordless.parent_mailer.constantize
-    default from: Passwordless.default_from_address
+  class Mailer < Passwordless.config.parent_mailer.constantize
+    default from: Passwordless.config.default_from_address
-    # Sends a magic link (secret token) email.
-    # @param session [Session] A Passwordless Session
-    def magic_link(session)
-      @session = session
+    # Sends a token and a magic link
+    #
+    # @param session [Session] An instance of Passwordless::Session
+    # @param token [String] The token in plaintext. Falls back to `session.token` hoping it
+    # is still in memory (optional)
+    def sign_in(session, token = nil)
+      @token = token || session.token
+      @magic_link = send(:"confirm_#{session.authenticatable_type.tableize}_sign_in_url", session, token)
+      email_field = session.authenticatable.class.passwordless_email_field
-      @magic_link = send(Passwordless.mounted_as).token_sign_in_url(session.token)
-      email_field = @session.authenticatable.class.passwordless_email_field
       mail(
-        to: @session.authenticatable.send(email_field),
-        subject: I18n.t("passwordless.mailer.subject")
+        to: session.authenticatable.send(email_field),
+        subject: I18n.t("passwordless.mailer.sign_in.subject")
       )
     end
   end

data/app/models/passwordless/session.rb CHANGED Viewed

@@ -4,6 +4,8 @@ module Passwordless
   # The session responsible for holding the connection between the record
   # trying to log in and the unique tokens.
   class Session < ApplicationRecord
+    self.table_name = "passwordless_sessions"
     belongs_to(
       :authenticatable,
       polymorphic: true,
@@ -14,9 +16,7 @@ module Passwordless
       :authenticatable,
       :timeout_at,
       :expires_at,
-      :user_agent,
-      :remote_addr,
-      :token,
+      :token_digest,
       presence: true
     )
@@ -27,12 +27,17 @@ module Passwordless
       lambda { where("expires_at > ?", Time.current) }
     )
-    def self.valid
-      available
+    # save the token in memory so we can put it in emails but only save the
+    # hashed version in the database
+    attr_reader :token
+    def token=(plaintext)
+      self.token_digest = Passwordless.digest(plaintext)
+      @token = (plaintext)
     end
-    class << self
-      deprecate :valid, deprecator: SessionValidDeprecation
+    def authenticate(token)
+      token_digest == Passwordless.digest(token)
     end
     def expired?
@@ -58,12 +63,20 @@ module Passwordless
     private
+    def token_digest_available?(token_digest)
+      Session.available.where(token_digest: token_digest).none?
+    end
     def set_defaults
-      self.expires_at ||= Passwordless.expires_at.call
-      self.timeout_at ||= Passwordless.timeout_at.call
-      self.token ||= loop {
-        token = Passwordless.token_generator.call(self)
-        break token unless Session.find_by(token: token)
+      self.expires_at ||= Passwordless.config.expires_at.call
+      self.timeout_at ||= Passwordless.config.timeout_at.call
+      return if self.token_digest
+      self.token, self.token_digest = loop {
+        token = Passwordless.config.token_generator.call(self)
+        digest = Passwordless.digest(token)
+        break [token, digest] if token_digest_available?(digest)
       }
     end
   end

data/app/views/passwordless/mailer/sign_in.text.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ <%= t("passwordless.mailer.sign_in.body", token: @token, magic_link: @magic_link) %>

data/app/views/passwordless/sessions/new.html.erb CHANGED Viewed

@@ -1,5 +1,9 @@
-<%= form_for @session, url: send(Passwordless.mounted_as).sign_in_path do |f| %>
-  <% email_field_name = :"passwordless[#{@email_field}]" %>
-  <%= text_field_tag email_field_name, params.fetch(email_field_name, nil) %>
-  <%= f.submit I18n.t('passwordless.sessions.new.submit') %>
+<%= form_with(model: @session, url: url_for(action: 'new'), data: { turbo: 'false' }) do |f| %>
+  <% email_field_name = :"passwordless[#{email_field}]" %>
+  <%= f.label email_field_name, t("passwordless.sessions.new.email.label") %>
+  <%= text_field_tag email_field_name,
+  params.fetch(email_field_name, nil),
+  required: true,
+  placeholder: t("passwordless.sessions.new.email.placeholder") %>
+  <%= f.submit t("passwordless.sessions.new.submit") %>
 <% end %>

data/app/views/passwordless/sessions/show.html.erb ADDED Viewed

@@ -0,0 +1,5 @@
+<%= form_with(model: @session, url: url_for(action: 'update'), scope: 'passwordless', method: 'patch', data: { turbo: false }) do |f| %>
+  <%= f.label :token %>
+  <%= f.text_field :token %>
+  <%= f.submit "Confirm" %>
+<% end %>

data/config/locales/en.yml CHANGED Viewed

@@ -2,12 +2,24 @@
 en:
   passwordless:
     sessions:
+      new:
+        email:
+          label: "E-mail address"
+          placeholder: "user@example.com"
+        submit: "Sign in"
       create:
-        session_expired: 'Your session has expired, please sign in again.'
-        email_sent_if_record_found: "If we found you in the system, we've sent you an email."
+        email_sent: "We've sent you an email with a secret token"
+        not_found: "We couldn't find a user with that email address"
+        error: "An error occured"
+      errors:
+        invalid_token: "Token is invalid"
+        session_expired: "Your session has expired, please sign in again."
         token_claimed: "This link has already been used, try requesting the link again"
-      new:
-        submit: 'Send magic link'
     mailer:
-      subject: "Your magic link ✨"
-      magic_link: "Here's your link: %{link}"
+      sign_in:
+        subject: "Signing in ✨"
+        body: |-
+          Use this token to complete your sign in: %{token}
+          Alternatively you can use this link to sign in directly:
+          %{magic_link}

data/config/routes.rb CHANGED Viewed

@@ -1,8 +1,4 @@
 # frozen_string_literal: true
 Passwordless::Engine.routes.draw do
-  get("/sign_in", to: "sessions#new", as: :sign_in)
-  post("/sign_in", to: "sessions#create")
-  get("/sign_in/:token", to: "sessions#show", as: :token_sign_in)
-  match("/sign_out", to: "sessions#destroy", via: %i[get delete], as: :sign_out)
 end

data/db/migrate/20171104221735_create_passwordless_sessions.rb CHANGED Viewed

@@ -12,9 +12,7 @@ class CreatePasswordlessSessions < ActiveRecord::Migration[5.1]
       t.datetime(:timeout_at, null: false)
       t.datetime(:expires_at, null: false)
       t.datetime(:claimed_at)
-      t.text(:user_agent, null: false)
-      t.string(:remote_addr, null: false)
-      t.string(:token, null: false)
+      t.string(:token_digest, null: false)
       t.timestamps
     end

data/lib/generators/passwordless/views_generator.rb CHANGED Viewed

@@ -1,14 +1,14 @@
-require 'rails/generators'
+require "rails/generators"
 module Passwordless
   module Generators
     class ViewsGenerator < Rails::Generators::Base
-      source_root File.expand_path('../../../app/views/passwordless', __dir__)
+      source_root File.expand_path("../../../app/views/passwordless", __dir__)
       def install
-        copy_file 'mailer/magic_link.text.erb', 'app/views/passwordless/mailer/magic_link.text.erb'
-        copy_file 'sessions/new.html.erb', 'app/views/passwordless/sessions/new.html.erb'
-        copy_file 'sessions/create.html.erb', 'app/views/passwordless/sessions.create.html.erb'
+        copy_file("mailer/sign_in.text.erb", "app/views/passwordless/mailer/sign_in.text.erb")
+        copy_file("sessions/new.html.erb", "app/views/passwordless/sessions/new.html.erb")
+        copy_file("sessions/show.html.erb", "app/views/passwordless/sessions/show.html.erb")
       end
     end
   end

data/lib/passwordless/config.rb ADDED Viewed

@@ -0,0 +1,71 @@
+require "passwordless/short_token_generator"
+module Passwordless
+  module Options
+    module ClassMethods
+      def option(name, default: nil)
+        attr_accessor(name)
+        schema[name] = default
+      end
+      def schema
+        @schema ||= {}
+      end
+    end
+    def set_defaults!
+      self.class.schema.each do |name, default|
+        instance_variable_set("@#{name}", default)
+      end
+    end
+    def self.included(cls)
+      cls.extend(ClassMethods)
+    end
+  end
+  class Configuration
+    include Options
+    option :default_from_address, default: "CHANGE_ME@example.com"
+    option :parent_mailer, default: "ActionMailer::Base"
+    option :restrict_token_reuse, default: true
+    option :token_generator, default: ShortTokenGenerator.new
+    option :expires_at, default: lambda { 1.year.from_now }
+    option :timeout_at, default: lambda { 10.minutes.from_now }
+    option :redirect_back_after_sign_in, default: true
+    option :redirect_to_response_options, default: {}
+    option :success_redirect_path, default: "/"
+    option :failure_redirect_path, default: "/"
+    option :sign_out_redirect_path, default: "/"
+    option(
+      :after_session_save,
+      default: lambda do |session, _request|
+        Mailer.sign_in(session, session.token).deliver_now
+      end
+    )
+    def initialize
+      set_defaults!
+    end
+  end
+  module Configurable
+    attr_writer :config
+    def config
+      @config ||= Configuration.new
+    end
+    def configure
+      yield(config)
+    end
+    def reset_config!
+      @config = Configuration.new
+    end
+  end
+end

data/lib/passwordless/controller_helpers.rb CHANGED Viewed

@@ -10,51 +10,33 @@ module Passwordless
     end
     # Build a new Passwordless::Session from an _authenticatable_ record.
-    # Set's `user_agent` and `remote_addr` from Rails' `request`.
     # @param authenticatable [ActiveRecord::Base] Instance of an
     #   authenticatable Rails model
     # @return [Session] the new Session object
     # @see ModelHelpers#passwordless_with
     def build_passwordless_session(authenticatable)
-      Session.new.tap do |us|
-        us.remote_addr = request.remote_addr
-        us.user_agent = request.env["HTTP_USER_AGENT"]
-        us.authenticatable = authenticatable
-      end
+      Session.new(authenticatable: authenticatable)
     end
-    # @deprecated Use {ControllerHelpers#authenticate_by_session}
-    # Authenticate a record using cookies. Looks for a cookie corresponding to
-    # the _authenticatable_class_. If found try to find it in the database.
-    # @param authenticatable_class [ActiveRecord::Base] any Model connected to
-    #   passwordless. (e.g - _User_ or _Admin_).
-    # @return [ActiveRecord::Base|nil] an instance of Model found by id stored
-    #   in cookies.encrypted or nil if nothing is found.
+    # Create a new Passwordless::Session from an _authenticatable_ record.
+    # @param authenticatable [ActiveRecord::Base] Instance of an
+    #   authenticatable Rails model
+    # @return [Session] the new Session object
+    # @raise [ActiveRecord::RecordInvalid] if the Session is invalid
     # @see ModelHelpers#passwordless_with
-    def authenticate_by_cookie(authenticatable_class)
-      key = cookie_name(authenticatable_class)
-      authenticatable_id = cookies.encrypted[key]
-      return authenticatable_class.find_by(id: authenticatable_id) if authenticatable_id
-      authenticate_by_session(authenticatable_class)
+    def create_passwordless_session!(authenticatable)
+      Session.create!(authenticatable: authenticatable)
     end
-    deprecate :authenticate_by_cookie, deprecator: CookieDeprecation
-    def upgrade_passwordless_cookie(authenticatable_class)
-      key = cookie_name(authenticatable_class)
-      return unless (authenticatable_id = cookies.encrypted[key])
-      cookies.encrypted.permanent[key] = {value: nil}
-      cookies.delete(key)
-      return unless (record = authenticatable_class.find_by(id: authenticatable_id))
-      new_session = build_passwordless_session(record).tap { |s| s.save! }
-      sign_in(new_session)
-      new_session.authenticatable
+    # Create a new Passwordless::Session from an _authenticatable_ record.
+    # @param authenticatable [ActiveRecord::Base] Instance of an
+    #   authenticatable Rails model
+    # @return [Session, nil] the new Session object or nil
+    # @see ModelHelpers#passwordless_with
+    def create_passwordless_session(authenticatable)
+      create_passwordless_session!(authenticatable)
+    rescue ActiveRecord::RecordInvalid
+      nil
     end
     # Authenticate a record using the session. Looks for a session key corresponding to
@@ -65,54 +47,39 @@ module Passwordless
     #   in cookies.encrypted or nil if nothing is found.
     # @see ModelHelpers#passwordless_with
     def authenticate_by_session(authenticatable_class)
-      return unless find_passwordless_session_for(authenticatable_class)&.available?
-      find_passwordless_session_for(authenticatable_class).authenticatable
+      pwless_session = find_passwordless_session_for(authenticatable_class)
+      return unless pwless_session&.available?
+      pwless_session.authenticatable
     end
     # Signs in session
     # @param authenticatable [Passwordless::Session] Instance of {Passwordless::Session}
     # to sign in
     # @return [ActiveRecord::Base] the record that is passed in.
-    def sign_in(record)
-      passwordless_session = if record.is_a?(Passwordless::Session)
-        record
-      else
-        warn(
-          "Passwordless::ControllerHelpers#sign_in with authenticatable " \
-            "(`#{record.class}') is deprecated. Falling back to creating a " \
-            "new Passwordless::Session"
-        )
-        build_passwordless_session(record).tap { |s| s.save! }
-      end
-      passwordless_session.claim! if Passwordless.restrict_token_reuse
+    def sign_in(passwordless_session)
+      passwordless_session.claim! if Passwordless.config.restrict_token_reuse
       raise Passwordless::Errors::SessionTimedOutError if passwordless_session.timed_out?
-      old_session = session.dup.to_hash
-      reset_session
-      old_session.each_pair { |k, v| session[k.to_sym] = v }
+      if defined?(reset_session)
+        old_session = session.dup.to_hash
+        # allow usage outside controllers
+        reset_session
+        old_session.each_pair { |k, v| session[k.to_sym] = v }
+      end
       key = session_key(passwordless_session.authenticatable_type)
       session[key] = passwordless_session.id
-      if record.is_a?(Passwordless::Session)
-        passwordless_session
-      else
-        passwordless_session.authenticatable
-      end
+      passwordless_session
     end
     # Signs out user by deleting the session key.
     # @param (see #authenticate_by_session)
     # @return [boolean] Always true
     def sign_out(authenticatable_class)
-      # Deprecated - cookies
-      key = cookie_name(authenticatable_class)
-      cookies.encrypted.permanent[key] = {value: nil}
-      cookies.delete(key)
-      # /deprecated
+      session.delete(session_key(authenticatable_class))
       reset_session
       true
     end
@@ -151,10 +118,5 @@ module Passwordless
       authenticatable_class.base_class.to_s.parameterize
     end
-    # Deprecated
-    def cookie_name(authenticatable_class)
-      :"#{authenticatable_class.base_class.to_s.underscore}_id"
-    end
   end
 end