passwordless 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +9 -0
  3. data/app/controllers/passwordless/sessions_controller.rb +1 -7
  4. data/app/mailers/passwordless/mailer.rb +2 -4
  5. data/app/views/passwordless/sessions/create.html.erb +1 -1
  6. data/app/views/passwordless/sessions/new.html.erb +1 -1
  7. data/lib/passwordless.rb +1 -0
  8. data/lib/passwordless/router_helpers.rb +5 -3
  9. data/lib/passwordless/version.rb +1 -1
  10. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d79c41fb0ddc3797af28166832ab336c3c3c2347c9336be03e04441554347772
4
- data.tar.gz: 0f24f481eff8e766e7546e21c53fa196fa61421037a6543c58c7bca81e78899e
3
+ metadata.gz: 41c7adf049e6fcb2c682c5521f7d07bcbef284e89d4847616aa052bdce5f9bdd
4
+ data.tar.gz: 1fae62fa2de31fa2567664ca3573cbe4865f6675a8a6fb4b4736db882121c3ad
5
5
  SHA512:
6
- metadata.gz: c3a7038ffd29a1cb8218905fb974fd3d59b45b11190e3df9e125e8fc5c200638d7f7cf1c954d3a17b256594c4429a144fcd5259a210fa3fed5b13a05551af6c4
7
- data.tar.gz: 3a1506b2dfba720a3ca82df7ce992fb74d450691dd31e8b250d961a7c882680fda2fb36674a6d474fa7114dc922839448547ade16b6c1c57348c08b1c9c8de25
6
+ metadata.gz: 3e590daa07378e8a920f7640d34ee1c9701effece337f883c68bf2fee12a87282abaeb3e9027d0650e884a522cce951857f104a79766cb66f92d1ccaf52f8f6b
7
+ data.tar.gz: a2687e8571a9ebb65dab493a4b1c7ee2011c1b90edf6be17a34d1b72b948a4ed8a4c94ff12e66a2957f6e099ee790e1139f57372e738ca6a24037c0ad85f6a9a
data/README.md CHANGED
@@ -20,6 +20,7 @@ Add authentication to your Rails app without all the icky-ness of passwords.
20
20
  * [Generating tokens](#generating-tokens)
21
21
  * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
22
22
  * [URLs and links](#urls-and-links)
23
+ * [E-mail security](#e-mail-security)
23
24
  * [License](#license)
24
25
 
25
26
  ## Installation
@@ -187,6 +188,14 @@ passwordless_for :users, at: '/', as: :auth
187
188
 
188
189
  Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
189
190
 
191
+ ### E-mail security
192
+
193
+ There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
194
+
195
+ But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) [Reddit was compromised](https://thenextweb.com/hardfork/2018/01/05/reddit-bitcoin-cash-hack/) using this method.
196
+
197
+ Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
198
+
190
199
  # License
191
200
 
192
201
  MIT
data/app/controllers/passwordless/sessions_controller.rb CHANGED
@@ -10,8 +10,6 @@ module Passwordless
10
10
 
11
11
  include ControllerHelpers
12
12
 
13
- helper_method :authenticatable_resource
14
-
15
13
  # get '/sign_in'
16
14
  # Assigns an email_field and new Session to be used by new view.
17
15
  # renders sessions/new.html.erb.
@@ -87,17 +85,13 @@ module Passwordless
87
85
  authenticatable_classname.constantize
88
86
  end
89
87
 
90
- def authenticatable_resource
91
- authenticatable.pluralize
92
- end
93
-
94
88
  def email_field
95
89
  authenticatable_class.passwordless_email_field
96
90
  end
97
91
 
98
92
  def find_authenticatable
99
93
  authenticatable_class.where(
100
- "lower(#{email_field}) = ?", params[:passwordless][email_field]
94
+ "lower(#{email_field}) = ?", params[:passwordless][email_field].downcase
101
95
  ).first
102
96
  end
103
97
 
data/app/mailers/passwordless/mailer.rb CHANGED
@@ -10,10 +10,8 @@ module Passwordless
10
10
  def magic_link(session)
11
11
  @session = session
12
12
 
13
- authenticatable_resource_name =
14
- @session.authenticatable_type.underscore.pluralize
15
- @magic_link =
16
- send(authenticatable_resource_name).token_sign_in_url(session.token)
13
+ @magic_link = send(Passwordless.mounted_as)
14
+ .token_sign_in_url(session.token)
17
15
 
18
16
  email_field = @session.authenticatable.class.passwordless_email_field
19
17
  mail(
data/app/views/passwordless/sessions/create.html.erb CHANGED
@@ -1 +1 @@
1
- <p><%= I18n.t('passwordless.sessions.success.email_sent_if_record_found') %></p>
1
+ <p><%= I18n.t('passwordless.sessions.create.email_sent_if_record_found') %></p>
data/app/views/passwordless/sessions/new.html.erb CHANGED
@@ -1,4 +1,4 @@
1
- <%= form_for @session, url: send(authenticatable_resource).sign_in_path do |f| %>
1
+ <%= form_for @session, url: send(Passwordless.mounted_as).sign_in_path do |f| %>
2
2
  <% email_field_name = :"passwordless[#{@email_field}]" %>
3
3
  <%= text_field_tag email_field_name, params.fetch(email_field_name, nil) %>
4
4
  <%= f.submit I18n.t('passwordless.sessions.new.submit') %>
data/lib/passwordless.rb CHANGED
@@ -8,4 +8,5 @@ module Passwordless
8
8
  mattr_accessor(:default_from_address) { 'CHANGE_ME@example.com' }
9
9
  mattr_accessor(:token_generator) { UrlSafeBase64Generator.new }
10
10
  mattr_accessor(:redirect_back_after_sign_in) { true }
11
+ mattr_accessor(:mounted_as) { :configured_when_mounting_passwordless }
11
12
  end
data/lib/passwordless/router_helpers.rb CHANGED
@@ -17,12 +17,14 @@ module Passwordless
17
17
  # <%= link_to 'Sign in', user_session_things.sign_in_path %>).
18
18
  # (Default: resource.to_s)
19
19
  def passwordless_for(resource, at: nil, as: nil)
20
+ mount_at = at || resource.to_s
21
+ mount_as = as || resource.to_s
20
22
  mount(
21
- Passwordless::Engine,
22
- at: at || resource.to_s,
23
- as: as || resource.to_s,
23
+ Passwordless::Engine, at: mount_at, as: mount_as,
24
24
  defaults: { authenticatable: resource.to_s.singularize }
25
25
  )
26
+
27
+ Passwordless.mounted_as = mount_as
26
28
  end
27
29
  end
28
30
  end
data/lib/passwordless/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Passwordless
4
- VERSION = '0.5.0' # :nodoc:
4
+ VERSION = '0.5.1' # :nodoc:
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: passwordless
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.5.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mikkel Malmberg
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-26 00:00:00.000000000 Z
11
+ date: 2018-04-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -128,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
128
128
  version: '0'
129
129
  requirements: []
130
130
  rubyforge_project:
131
- rubygems_version: 2.7.3
131
+ rubygems_version: 2.7.6
132
132
  signing_key:
133
133
  specification_version: 4
134
134
  summary: Add authentication to your app without all the ickyness of passwords.