passwordless 0.5.0 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/app/controllers/passwordless/sessions_controller.rb +1 -7
- data/app/mailers/passwordless/mailer.rb +2 -4
- data/app/views/passwordless/sessions/create.html.erb +1 -1
- data/app/views/passwordless/sessions/new.html.erb +1 -1
- data/lib/passwordless.rb +1 -0
- data/lib/passwordless/router_helpers.rb +5 -3
- data/lib/passwordless/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 41c7adf049e6fcb2c682c5521f7d07bcbef284e89d4847616aa052bdce5f9bdd
|
|
4
|
+
data.tar.gz: 1fae62fa2de31fa2567664ca3573cbe4865f6675a8a6fb4b4736db882121c3ad
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3e590daa07378e8a920f7640d34ee1c9701effece337f883c68bf2fee12a87282abaeb3e9027d0650e884a522cce951857f104a79766cb66f92d1ccaf52f8f6b
|
|
7
|
+
data.tar.gz: a2687e8571a9ebb65dab493a4b1c7ee2011c1b90edf6be17a34d1b72b948a4ed8a4c94ff12e66a2957f6e099ee790e1139f57372e738ca6a24037c0ad85f6a9a
|
data/README.md
CHANGED
|
@@ -20,6 +20,7 @@ Add authentication to your Rails app without all the icky-ness of passwords.
|
|
|
20
20
|
* [Generating tokens](#generating-tokens)
|
|
21
21
|
* [Redirecting back after sign-in](#redirecting-back-after-sign-in)
|
|
22
22
|
* [URLs and links](#urls-and-links)
|
|
23
|
+
* [E-mail security](#e-mail-security)
|
|
23
24
|
* [License](#license)
|
|
24
25
|
|
|
25
26
|
## Installation
|
|
@@ -187,6 +188,14 @@ passwordless_for :users, at: '/', as: :auth
|
|
|
187
188
|
|
|
188
189
|
Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
|
|
189
190
|
|
|
191
|
+
### E-mail security
|
|
192
|
+
|
|
193
|
+
There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
|
|
194
|
+
|
|
195
|
+
But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) [Reddit was compromised](https://thenextweb.com/hardfork/2018/01/05/reddit-bitcoin-cash-hack/) using this method.
|
|
196
|
+
|
|
197
|
+
Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
|
|
198
|
+
|
|
190
199
|
# License
|
|
191
200
|
|
|
192
201
|
MIT
|
|
@@ -10,8 +10,6 @@ module Passwordless
|
|
|
10
10
|
|
|
11
11
|
include ControllerHelpers
|
|
12
12
|
|
|
13
|
-
helper_method :authenticatable_resource
|
|
14
|
-
|
|
15
13
|
# get '/sign_in'
|
|
16
14
|
# Assigns an email_field and new Session to be used by new view.
|
|
17
15
|
# renders sessions/new.html.erb.
|
|
@@ -87,17 +85,13 @@ module Passwordless
|
|
|
87
85
|
authenticatable_classname.constantize
|
|
88
86
|
end
|
|
89
87
|
|
|
90
|
-
def authenticatable_resource
|
|
91
|
-
authenticatable.pluralize
|
|
92
|
-
end
|
|
93
|
-
|
|
94
88
|
def email_field
|
|
95
89
|
authenticatable_class.passwordless_email_field
|
|
96
90
|
end
|
|
97
91
|
|
|
98
92
|
def find_authenticatable
|
|
99
93
|
authenticatable_class.where(
|
|
100
|
-
"lower(#{email_field}) = ?", params[:passwordless][email_field]
|
|
94
|
+
"lower(#{email_field}) = ?", params[:passwordless][email_field].downcase
|
|
101
95
|
).first
|
|
102
96
|
end
|
|
103
97
|
|
|
@@ -10,10 +10,8 @@ module Passwordless
|
|
|
10
10
|
def magic_link(session)
|
|
11
11
|
@session = session
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
@magic_link =
|
|
16
|
-
send(authenticatable_resource_name).token_sign_in_url(session.token)
|
|
13
|
+
@magic_link = send(Passwordless.mounted_as)
|
|
14
|
+
.token_sign_in_url(session.token)
|
|
17
15
|
|
|
18
16
|
email_field = @session.authenticatable.class.passwordless_email_field
|
|
19
17
|
mail(
|
|
@@ -1 +1 @@
|
|
|
1
|
-
<p><%= I18n.t('passwordless.sessions.
|
|
1
|
+
<p><%= I18n.t('passwordless.sessions.create.email_sent_if_record_found') %></p>
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
<%= form_for @session, url: send(
|
|
1
|
+
<%= form_for @session, url: send(Passwordless.mounted_as).sign_in_path do |f| %>
|
|
2
2
|
<% email_field_name = :"passwordless[#{@email_field}]" %>
|
|
3
3
|
<%= text_field_tag email_field_name, params.fetch(email_field_name, nil) %>
|
|
4
4
|
<%= f.submit I18n.t('passwordless.sessions.new.submit') %>
|
data/lib/passwordless.rb
CHANGED
|
@@ -8,4 +8,5 @@ module Passwordless
|
|
|
8
8
|
mattr_accessor(:default_from_address) { 'CHANGE_ME@example.com' }
|
|
9
9
|
mattr_accessor(:token_generator) { UrlSafeBase64Generator.new }
|
|
10
10
|
mattr_accessor(:redirect_back_after_sign_in) { true }
|
|
11
|
+
mattr_accessor(:mounted_as) { :configured_when_mounting_passwordless }
|
|
11
12
|
end
|
|
@@ -17,12 +17,14 @@ module Passwordless
|
|
|
17
17
|
# <%= link_to 'Sign in', user_session_things.sign_in_path %>).
|
|
18
18
|
# (Default: resource.to_s)
|
|
19
19
|
def passwordless_for(resource, at: nil, as: nil)
|
|
20
|
+
mount_at = at || resource.to_s
|
|
21
|
+
mount_as = as || resource.to_s
|
|
20
22
|
mount(
|
|
21
|
-
Passwordless::Engine,
|
|
22
|
-
at: at || resource.to_s,
|
|
23
|
-
as: as || resource.to_s,
|
|
23
|
+
Passwordless::Engine, at: mount_at, as: mount_as,
|
|
24
24
|
defaults: { authenticatable: resource.to_s.singularize }
|
|
25
25
|
)
|
|
26
|
+
|
|
27
|
+
Passwordless.mounted_as = mount_as
|
|
26
28
|
end
|
|
27
29
|
end
|
|
28
30
|
end
|
data/lib/passwordless/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: passwordless
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mikkel Malmberg
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-04-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -128,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
128
128
|
version: '0'
|
|
129
129
|
requirements: []
|
|
130
130
|
rubyforge_project:
|
|
131
|
-
rubygems_version: 2.7.
|
|
131
|
+
rubygems_version: 2.7.6
|
|
132
132
|
signing_key:
|
|
133
133
|
specification_version: 4
|
|
134
134
|
summary: Add authentication to your app without all the ickyness of passwords.
|