passwordless 0.5.0 → 0.5.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d79c41fb0ddc3797af28166832ab336c3c3c2347c9336be03e04441554347772
4
- data.tar.gz: 0f24f481eff8e766e7546e21c53fa196fa61421037a6543c58c7bca81e78899e
3
+ metadata.gz: 41c7adf049e6fcb2c682c5521f7d07bcbef284e89d4847616aa052bdce5f9bdd
4
+ data.tar.gz: 1fae62fa2de31fa2567664ca3573cbe4865f6675a8a6fb4b4736db882121c3ad
5
5
  SHA512:
6
- metadata.gz: c3a7038ffd29a1cb8218905fb974fd3d59b45b11190e3df9e125e8fc5c200638d7f7cf1c954d3a17b256594c4429a144fcd5259a210fa3fed5b13a05551af6c4
7
- data.tar.gz: 3a1506b2dfba720a3ca82df7ce992fb74d450691dd31e8b250d961a7c882680fda2fb36674a6d474fa7114dc922839448547ade16b6c1c57348c08b1c9c8de25
6
+ metadata.gz: 3e590daa07378e8a920f7640d34ee1c9701effece337f883c68bf2fee12a87282abaeb3e9027d0650e884a522cce951857f104a79766cb66f92d1ccaf52f8f6b
7
+ data.tar.gz: a2687e8571a9ebb65dab493a4b1c7ee2011c1b90edf6be17a34d1b72b948a4ed8a4c94ff12e66a2957f6e099ee790e1139f57372e738ca6a24037c0ad85f6a9a
data/README.md CHANGED
@@ -20,6 +20,7 @@ Add authentication to your Rails app without all the icky-ness of passwords.
20
20
  * [Generating tokens](#generating-tokens)
21
21
  * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
22
22
  * [URLs and links](#urls-and-links)
23
+ * [E-mail security](#e-mail-security)
23
24
  * [License](#license)
24
25
 
25
26
  ## Installation
@@ -187,6 +188,14 @@ passwordless_for :users, at: '/', as: :auth
187
188
 
188
189
  Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
189
190
 
191
+ ### E-mail security
192
+
193
+ There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
194
+
195
+ But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) [Reddit was compromised](https://thenextweb.com/hardfork/2018/01/05/reddit-bitcoin-cash-hack/) using this method.
196
+
197
+ Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
198
+
190
199
  # License
191
200
 
192
201
  MIT
@@ -10,8 +10,6 @@ module Passwordless
10
10
 
11
11
  include ControllerHelpers
12
12
 
13
- helper_method :authenticatable_resource
14
-
15
13
  # get '/sign_in'
16
14
  # Assigns an email_field and new Session to be used by new view.
17
15
  # renders sessions/new.html.erb.
@@ -87,17 +85,13 @@ module Passwordless
87
85
  authenticatable_classname.constantize
88
86
  end
89
87
 
90
- def authenticatable_resource
91
- authenticatable.pluralize
92
- end
93
-
94
88
  def email_field
95
89
  authenticatable_class.passwordless_email_field
96
90
  end
97
91
 
98
92
  def find_authenticatable
99
93
  authenticatable_class.where(
100
- "lower(#{email_field}) = ?", params[:passwordless][email_field]
94
+ "lower(#{email_field}) = ?", params[:passwordless][email_field].downcase
101
95
  ).first
102
96
  end
103
97
 
@@ -10,10 +10,8 @@ module Passwordless
10
10
  def magic_link(session)
11
11
  @session = session
12
12
 
13
- authenticatable_resource_name =
14
- @session.authenticatable_type.underscore.pluralize
15
- @magic_link =
16
- send(authenticatable_resource_name).token_sign_in_url(session.token)
13
+ @magic_link = send(Passwordless.mounted_as)
14
+ .token_sign_in_url(session.token)
17
15
 
18
16
  email_field = @session.authenticatable.class.passwordless_email_field
19
17
  mail(
@@ -1 +1 @@
1
- <p><%= I18n.t('passwordless.sessions.success.email_sent_if_record_found') %></p>
1
+ <p><%= I18n.t('passwordless.sessions.create.email_sent_if_record_found') %></p>
@@ -1,4 +1,4 @@
1
- <%= form_for @session, url: send(authenticatable_resource).sign_in_path do |f| %>
1
+ <%= form_for @session, url: send(Passwordless.mounted_as).sign_in_path do |f| %>
2
2
  <% email_field_name = :"passwordless[#{@email_field}]" %>
3
3
  <%= text_field_tag email_field_name, params.fetch(email_field_name, nil) %>
4
4
  <%= f.submit I18n.t('passwordless.sessions.new.submit') %>
@@ -8,4 +8,5 @@ module Passwordless
8
8
  mattr_accessor(:default_from_address) { 'CHANGE_ME@example.com' }
9
9
  mattr_accessor(:token_generator) { UrlSafeBase64Generator.new }
10
10
  mattr_accessor(:redirect_back_after_sign_in) { true }
11
+ mattr_accessor(:mounted_as) { :configured_when_mounting_passwordless }
11
12
  end
@@ -17,12 +17,14 @@ module Passwordless
17
17
  # <%= link_to 'Sign in', user_session_things.sign_in_path %>).
18
18
  # (Default: resource.to_s)
19
19
  def passwordless_for(resource, at: nil, as: nil)
20
+ mount_at = at || resource.to_s
21
+ mount_as = as || resource.to_s
20
22
  mount(
21
- Passwordless::Engine,
22
- at: at || resource.to_s,
23
- as: as || resource.to_s,
23
+ Passwordless::Engine, at: mount_at, as: mount_as,
24
24
  defaults: { authenticatable: resource.to_s.singularize }
25
25
  )
26
+
27
+ Passwordless.mounted_as = mount_as
26
28
  end
27
29
  end
28
30
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Passwordless
4
- VERSION = '0.5.0' # :nodoc:
4
+ VERSION = '0.5.1' # :nodoc:
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: passwordless
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mikkel Malmberg
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-26 00:00:00.000000000 Z
11
+ date: 2018-04-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -128,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
128
128
  version: '0'
129
129
  requirements: []
130
130
  rubyforge_project:
131
- rubygems_version: 2.7.3
131
+ rubygems_version: 2.7.6
132
132
  signing_key:
133
133
  specification_version: 4
134
134
  summary: Add authentication to your app without all the ickyness of passwords.