passwordless 0.7.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb17c0cc08c9dd0062b47d67a470adeee2d0e7dc618e48967180eea61796f47a
-  data.tar.gz: 870dd7a03e131344f20bdee24ab614e1ef66ff3fe8faf9d4bd05bb08adce032d
+  metadata.gz: c45a41b4be30c959c37b50ef8013f4055c97ae516e4b8297b4f56607836cc09b
+  data.tar.gz: 7b0c50e087c5be36e5e89476764a407767aee4851fcb38c0b744bd532be8e982
 SHA512:
-  metadata.gz: e43144bae67ad300ae753fe131ec6b09fcf997c975e2fcb9a819d457fb0178797d03b4e7278c3c92c4cc18664c54c5231de428be7f6fc63c05a878516e628f7a
-  data.tar.gz: 5aeca84a612458d6e2dce0b0e9335d80a9f4e4af730540a148c3ef0ed6056417a33b444bfc17c19adf06744a7a2fa38dccb82189206bf2c86354352540b41e7e
+  metadata.gz: b35ef690ecd6b37106d785ccb71693606387a8fcc48d5ea115b9d035211b8225d551291d3c64abdb89517cb0ceea17d31807d40ef6f168a9f5df742fd27b8d65
+  data.tar.gz: 8d8ba39b3711905ea36f5f20c009a26b42bcea43ed1bd1185ac56c0053e7afdb6fdf786f123fa8c01b2c095ec3104637d5017791056960293869053ff0b248a3

data/README.md

@@ -14,16 +14,19 @@ Add authentication to your Rails app without all the icky-ness of passwords.
 
 * [Installation](#installation)
 * [Usage](#usage)
-     * [Getting the current user, restricting access, the usual](#getting-the-current-user-restricting-access-the-usual)
-     * [Providing your own templates](#providing-your-own-templates)
-     * [Overrides](#overrides)
-     * [Registering new users](#registering-new-users)
-     * [Generating tokens](#generating-tokens)
-     * [Token and Session Expiry](#token-and-session-expiry)
-     * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
-     * [URLs and links](#urls-and-links)
-     * [Customize the way to send magic link](#customize-the-way-to-send-magic-link)
-     * [E-mail security](#e-mail-security)
+  * [Getting the current user, restricting access, the usual](#getting-the-current-user-restricting-access-the-usual)
+  * [Providing your own templates](#providing-your-own-templates)
+  * [Registering new users](#registering-new-users)
+  * [URLs and links](#urls-and-links)
+  * [Customize the way to send magic link](#customize-the-way-to-send-magic-link)
+  * [Generate your own magic links](#generate-your-own-magic-links)
+  * [Overrides](#overrides)
+* [Configuration](#configuration)
+  * [Customising token generation](#generating-tokens)
+  * [Token and Session Expiry](#token-and-session-expiry)
+  * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
+  * [Claiming tokens](#claiming-tokens)
+* [E-mail security](#e-mail-security)
 * [License](#license)
 
 ## Installation
@@ -43,7 +46,7 @@ $ bin/rails passwordless:install:migrations
 
 ## Usage
 
-Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one, eg.:
+Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one:
 
 ```
 $ bin/rails generate model User email
@@ -71,7 +74,7 @@ end
 
 ### Getting the current user, restricting access, the usual
 
-Passwordless doesn't give you `current_user` automatically -- it's dead easy to add it though:
+Passwordless doesn't give you `current_user` automatically. Here's how you could add it:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -84,12 +87,12 @@ class ApplicationController < ActionController::Base
   private
 
   def current_user
-    @current_user ||= authenticate_by_cookie(User)
+    @current_user ||= authenticate_by_session(User)
   end
 
   def require_user!
     return if current_user
-    redirect_to root_path, flash: {error: 'You are not worthy!'}
+    redirect_to root_path, flash: { error: 'You are not worthy!' }
   end
 end
 ```
@@ -119,39 +122,32 @@ app/views/passwordless/sessions/create.html.erb
 app/views/passwordless/mailer/magic_link.text.erb
 ```
 
-See [the bundled views](https://github.com/mikker/passwordless/tree/master/app/views/passwordless).
-
-### Overrides
-
-By default `passwordless` uses the `passwordless_with` column you specify in the model to case insensitively fetch the resource during authentication. You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be supplied with the downcased email and should return an `ActiveRecord` instance of the model.
-
-Example time:
-
-Let's say we would like to fetch the record and if it doesn't exist, create automatically.
-
-```ruby
-class User < ApplicationRecord
-  def self.fetch_resource_for_passwordless(email)
-    find_or_create_by(email: email)
-  end
-end
+If you'd like to let the user know whether or not a record was found, `@resource` is provided to the view. You may override `app/views/passwordless/session/create.html.erb` for example like so:
+```erb
+<% if @resource.present? %>
+  <p>User found, check your inbox</p>
+<% else %>
+  <p>No user found with the provided email address</p>
+<% end %>
 ```
 
+See [the bundled views](https://github.com/mikker/passwordless/tree/master/app/views/passwordless).
+
 ### Registering new users
 
-Because your `User` record is like any other record, you create one like you normally would. Passwordless provides a helper method you can use to sign in the created user after it is saved like so:
+Because your `User` record is like any other record, you create one like you normally would. Passwordless provides a helper method to sign in the created user after it is saved – like so:
 
 ```ruby
 class UsersController < ApplicationController
   include Passwordless::ControllerHelpers # <-- This!
-  #  (unless you already have it in your ApplicationController)
+  # (unless you already have it in your ApplicationController)
 
   def create
     @user = User.new user_params
 
     if @user.save
-      sign_in @user # <-- And this!
-      redirect_to @user, flash: {notice: 'Welcome!'}
+      sign_in @user # <-- This!
+      redirect_to @user, flash: { notice: 'Welcome!' }
     else
       render :new
     end
@@ -161,9 +157,102 @@ class UsersController < ApplicationController
 end
 ```
 
-### Generating tokens
+### URLs and links
 
-By default Passwordless generates tokens using Rails' `SecureRandom.urlsafe_base64` but you can change that by setting `Passwordless.token_generator` to something else that responds to `call(session)` eg.:
+By default, Passwordless uses the resource name given to `passwordless_for` to generate its routes and helpers.
+
+```ruby
+passwordless_for :users
+  # <%= users.sign_in_path %> # => /users/sign_in
+
+passwordless_for :users, at: '/', as: :auth
+  # <%= auth.sign_in_path %> # => /sign_in
+```
+
+Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
+
+### Customize the way to send magic link
+
+By default, magic link will send by email. You can customize this method. For example, you can send magic link via SMS.
+
+config/initializers/passwordless.rb
+
+```
+Passwordless.after_session_save = lambda do |session, request|
+  # Default behavior is
+  # Passwordless::Mailer.magic_link(session).deliver_now
+
+  # You can change behavior to do something with session model. For example,
+  # session.authenticatable.send_sms
+end
+```
+
+You can access user model through authenticatable.
+
+### Generate your own magic links
+
+Currently there is not an officially supported way to generate your own magic links to send in your own mailers.
+
+However, you can accomplish this with the following snippet of code.
+
+```
+session = Passwordless::Session.new({
+  authenticatable: @manager,
+  user_agent: 'Command Line',
+  remote_addr: 'unknown',
+})
+session.save!
+@magic_link = send(Passwordless.mounted_as).token_sign_in_url(session.token)
+```
+
+You can further customize this URL by specifying the destination path to be redirected to after the user has logged in. You can do this by adding the `destination_path` query parameter to the end of the URL. For example
+```
+@magic_link = "#{@magic_link}?destination_path=/your-custom-path"
+```
+
+### Overrides
+
+By default `passwordless` uses the `passwordless_with` column to _case insensitively_ fetch the resource.
+
+You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be called with the downcased email and should return an `ActiveRecord` instance of the model.
+
+Example time:
+
+Let's say we would like to fetch the record and if it doesn't exist, create automatically.
+
+```ruby
+class User < ApplicationRecord
+  def self.fetch_resource_for_passwordless(email)
+    find_or_create_by(email: email)
+  end
+end
+```
+
+## Configuration
+
+The following configuration parameters are supported. You can override these for example in `initializers/passwordless.rb`.
+
+The default values are shown below. It's recommended to only include the ones that you specifically want to override.
+
+```ruby
+Passwordless.default_from_address = "CHANGE_ME@example.com"
+Passwordless.parent_mailer = "ActionMailer::Base"
+Passwordless.token_generator = Passwordless::UrlSafeBase64Generator.new # Used to generate magic link tokens.
+Passwordless.restrict_token_reuse = false # By default a magic link token can be used multiple times.
+Passwordless.redirect_back_after_sign_in = true # When enabled the user will be redirected to their previous page, or a page specified by the `destination_path` query parameter, if available.
+
+Passwordless.expires_at = lambda { 1.year.from_now } # How long until a passwordless session expires.
+Passwordless.timeout_at = lambda { 1.hour.from_now } # How long until a magic link expires.
+
+# Default redirection paths
+Passwordless.success_redirect_path = '/' # When a user succeeds in logging in.
+Passwordless.failure_redirect_path = '/' # When a a login is failed for any reason.
+Passwordless.sign_out_redirect_path = '/' # When a user logs out.
+```
+
+### Customizing token generation
+
+By default Passwordless generates tokens using `SecureRandom.urlsafe_base64` but you can change that by setting `Passwordless.token_generator` to something else that responds to `call(session)` eg.:
 
 ```ruby
 Passwordless.token_generator = -> (session) {
@@ -219,41 +308,39 @@ end
 
 This can be turned off with `Passwordless.redirect_back_after_sign_in = false` but if you just don't save the previous destination, you'll be fine.
 
-### URLs and links
+### Claiming tokens
 
-By default, Passwordless uses the resource name given to `passwordless_for` to generate its routes and helpers.
+Opt-in for marking tokens as `claimed` so they can only be used once.
 
-```ruby
-passwordless_for :users
-  # <%= users.sign_in_path %> # => /users/sign_in
+config/initializers/passwordless.rb
 
-passwordless_for :users, at: '/', as: :auth
-  # <%= auth.sign_in_path %> # => /sign_in
+```ruby
+# Default is `false`
+Passwordless.restrict_token_reuse = true
 ```
 
-Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
-
-
-### Customize the way to send magic link
+#### Upgrading an existing Rails app
 
-By default, magic link will send by email. You can customize this method. For example, you can send magic link via SMS.
+The simplest way to update your sessions table is with a single migration:
 
-config/initializers/passwordless.rb
+<details>
+<summary>Example migration</summary>
 
+```bash
+bin/rails generate migration add_claimed_at_to_passwordless_sessions
 ```
-Passwordless.after_session_save = lambda do |session|
-  # Default behavior is
-  # Mailer.magic_link(session).deliver_now
 
-  # You can change behavior to do something with session model. For example,
-  # session.authenticatable.send_sms
+```ruby
+class AddClaimedAtToPasswordlessSessions < ActiveRecord::Migration[5.2]
+  def change
+    add_column :passwordless_sessions, :claimed_at, :datetime
+  end
 end
-```
-
-You can access user model through authenticatable.
 
+```
+</details>
 
-### E-mail security
+## E-mail security
 
 There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
 
@@ -261,6 +348,10 @@ But be aware that when everyone authenticates via emails you send, the way you s
 
 Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
 
+# Alternatives
+
+- [OTP JWT](https://github.com/stas/otp-jwt) -- Passwordless JSON Web Tokens
+
 # License
 
 MIT

data/app/controllers/passwordless/sessions_controller.rb

@@ -5,9 +5,6 @@ require "bcrypt"
 module Passwordless
   # Controller for managing Passwordless sessions
   class SessionsController < ApplicationController
-    # Raise this exception when a session is expired.
-    class SessionTimedOutError < StandardError; end
-
     include ControllerHelpers
 
     # get '/sign_in'
@@ -23,10 +20,15 @@ module Passwordless
     #   renders sessions/create.html.erb.
     # @see Mailer#magic_link Mailer#magic_link
     def create
-      session = build_passwordless_session(find_authenticatable)
+      @resource = find_authenticatable
+      session = build_passwordless_session(@resource)
 
       if session.save
-        Passwordless.after_session_save.call(session)
+        if Passwordless.after_session_save.arity == 2
+          Passwordless.after_session_save.call(session, request)
+        else
+          Passwordless.after_session_save.call(session)
+        end
       end
 
       render
@@ -41,23 +43,15 @@ module Passwordless
     def show
       # Make it "slow" on purpose to make brute-force attacks more of a hassle
       BCrypt::Password.create(params[:token])
+      sign_in passwordless_session
 
-      session = find_session
-      raise SessionTimedOutError if session.timed_out?
-
-      sign_in session.authenticatable
-
-      redirect_enabled = Passwordless.redirect_back_after_sign_in
-      destination = reset_passwordless_redirect_location!(User)
-
-      if redirect_enabled && destination
-        redirect_to destination
-      else
-        redirect_to main_app.root_path
-      end
-    rescue SessionTimedOutError
+      redirect_to passwordless_success_redirect_path
+    rescue Errors::TokenAlreadyClaimedError
+      flash[:error] = I18n.t(".passwordless.sessions.create.token_claimed")
+      redirect_to passwordless_failure_redirect_path
+    rescue Errors::SessionTimedOutError
       flash[:error] = I18n.t(".passwordless.sessions.create.session_expired")
-      redirect_to main_app.root_path
+      redirect_to passwordless_failure_redirect_path
     end
 
     # match '/sign_out', via: %i[get delete].
@@ -65,7 +59,31 @@ module Passwordless
     # @see ControllerHelpers#sign_out
     def destroy
       sign_out authenticatable_class
-      redirect_to main_app.root_path
+      redirect_to passwordless_sign_out_redirect_path
+    end
+
+    protected
+
+    def passwordless_sign_out_redirect_path
+      Passwordless.sign_out_redirect_path
+    end
+
+    def passwordless_failure_redirect_path
+      Passwordless.failure_redirect_path
+    end
+
+    def passwordless_query_redirect_path
+      query_redirect_uri = URI(params[:destination_path])
+      query_redirect_uri.to_s if query_redirect_uri.host.nil? || query_redirect_uri.host == URI(request.url).host
+    rescue URI::InvalidURIError, ArgumentError
+      nil
+    end
+
+    def passwordless_success_redirect_path
+      return Passwordless.success_redirect_path unless Passwordless.redirect_back_after_sign_in
+
+      session_redirect_url = reset_passwordless_redirect_location!(authenticatable_class)
+      passwordless_query_redirect_path || session_redirect_url || Passwordless.success_redirect_path
     end
 
     private
@@ -87,19 +105,17 @@ module Passwordless
     end
 
     def find_authenticatable
-      email = params[:passwordless][email_field].downcase
+      email = params[:passwordless][email_field].downcase.strip
 
       if authenticatable_class.respond_to?(:fetch_resource_for_passwordless)
         authenticatable_class.fetch_resource_for_passwordless(email)
       else
-        authenticatable_class.where(
-          "lower(#{email_field}) = ?", params[:passwordless][email_field].downcase
-        ).first
+        authenticatable_class.where("lower(#{email_field}) = ?", email).first
       end
     end
 
-    def find_session
-      Session.find_by!(
+    def passwordless_session
+      @passwordless_session ||= Session.find_by!(
         authenticatable_type: authenticatable_classname,
         token: params[:token]
       )

data/app/mailers/passwordless/mailer.rb

@@ -2,7 +2,7 @@
 
 module Passwordless
   # The mailer responsible for sending Passwordless' mails.
-  class Mailer < ActionMailer::Base
+  class Mailer < Passwordless.parent_mailer.constantize
     default from: Passwordless.default_from_address
 
     # Sends a magic link (secret token) email.
@@ -11,7 +11,7 @@ module Passwordless
       @session = session
 
       @magic_link = send(Passwordless.mounted_as)
-        .token_sign_in_url(session.token)
+                      .token_sign_in_url(session.token)
 
       email_field = @session.authenticatable.class.passwordless_email_field
       mail(

data/app/models/passwordless/session.rb

@@ -18,10 +18,17 @@ module Passwordless
 
     before_validation :set_defaults
 
-    scope :valid, lambda {
-      where("timeout_at > ?", Time.current)
+    scope :available, lambda {
+      where("expires_at > ?", Time.current)
     }
 
+    def self.valid
+      available
+    end
+    class << self
+      deprecate :valid, deprecator: SessionValidDeprecation
+    end
+
     def expired?
       expires_at <= Time.current
     end
@@ -30,6 +37,19 @@ module Passwordless
       timeout_at <= Time.current
     end
 
+    def claim!
+      raise Errors::TokenAlreadyClaimedError if claimed?
+      touch(:claimed_at)
+    end
+
+    def claimed?
+      !!claimed_at
+    end
+
+    def available?
+      !expired?
+    end
+
     private
 
     def set_defaults

data/config/locales/en.yml

@@ -5,8 +5,9 @@ en:
       create:
         session_expired: 'Your session has expired, please sign in again.'
         email_sent_if_record_found: "If we found you in the system, we've sent you an email."
+        token_claimed: "This link has already been used, try requesting the link again"
       new:
         submit: 'Send magic link'
     mailer:
-      subject: "Your magic link ✨'"
+      subject: "Your magic link ✨"
       magic_link: "Here's your link: %{link}"

data/db/migrate/20171104221735_create_passwordless_sessions.rb

@@ -10,6 +10,7 @@ class CreatePasswordlessSessions < ActiveRecord::Migration[5.1]
       )
       t.datetime :timeout_at, null: false
       t.datetime :expires_at, null: false
+      t.datetime :claimed_at
       t.text :user_agent, null: false
       t.string :remote_addr, null: false
       t.string :token, null: false

data/lib/passwordless.rb

@@ -1,17 +1,29 @@
 # frozen_string_literal: true
 
+require "active_support"
+require "passwordless/errors"
 require "passwordless/engine"
 require "passwordless/url_safe_base_64_generator"
 
 # The main Passwordless module
 module Passwordless
+  mattr_accessor(:parent_mailer) { "ActionMailer::Base" }
   mattr_accessor(:default_from_address) { "CHANGE_ME@example.com" }
   mattr_accessor(:token_generator) { UrlSafeBase64Generator.new }
+  mattr_accessor(:restrict_token_reuse) { false }
   mattr_accessor(:redirect_back_after_sign_in) { true }
   mattr_accessor(:mounted_as) { :configured_when_mounting_passwordless }
 
   mattr_accessor(:expires_at) { lambda { 1.year.from_now } }
   mattr_accessor(:timeout_at) { lambda { 1.hour.from_now } }
+  mattr_accessor(:success_redirect_path) { "/" }
+  mattr_accessor(:failure_redirect_path) { "/" }
+  mattr_accessor(:sign_out_redirect_path) { "/" }
 
-  mattr_accessor(:after_session_save) { lambda { |session| Mailer.magic_link(session).deliver_now } }
+  mattr_accessor(:after_session_save) do
+    lambda { |session, _request| Mailer.magic_link(session).deliver_now }
+  end
+
+  CookieDeprecation = ActiveSupport::Deprecation.new("0.9", "passwordless")
+  SessionValidDeprecation = ActiveSupport::Deprecation.new("0.9", "passwordless")
 end

data/lib/passwordless/controller_helpers.rb

@@ -3,6 +3,12 @@
 module Passwordless
   # Helpers to work with Passwordless sessions from controllers
   module ControllerHelpers
+    # Returns the {Passwordless::Session} (if set) from the session.
+    # @return [Session, nil]
+    def find_passwordless_session_for(authenticatable_class)
+      Passwordless::Session.find_by(id: session[session_key(authenticatable_class)])
+    end
+
     # Build a new Passwordless::Session from an _authenticatable_ record.
     # Set's `user_agent` and `remote_addr` from Rails' `request`.
     # @param authenticatable [ActiveRecord::Base] Instance of an
@@ -17,6 +23,7 @@ module Passwordless
       end
     end
 
+    # @deprecated Use {ControllerHelpers#authenticate_by_session}
     # Authenticate a record using cookies. Looks for a cookie corresponding to
     # the _authenticatable_class_. If found try to find it in the database.
     # @param authenticatable_class [ActiveRecord::Base] any Model connected to
@@ -27,54 +34,119 @@ module Passwordless
     def authenticate_by_cookie(authenticatable_class)
       key = cookie_name(authenticatable_class)
       authenticatable_id = cookies.encrypted[key]
-      return unless authenticatable_id
 
-      authenticatable_class.find_by(id: authenticatable_id)
+      return authenticatable_class.find_by(id: authenticatable_id) if authenticatable_id
+
+      authenticate_by_session(authenticatable_class)
+    end
+    deprecate :authenticate_by_cookie, deprecator: CookieDeprecation
+
+    def upgrade_passwordless_cookie(authenticatable_class)
+      key = cookie_name(authenticatable_class)
+
+      return unless (authenticatable_id = cookies.encrypted[key])
+      cookies.encrypted.permanent[key] = {value: nil}
+      cookies.delete(key)
+
+      return unless (record = authenticatable_class.find_by(id: authenticatable_id))
+      new_session = build_passwordless_session(record).tap { |s| s.save! }
+
+      sign_in new_session
+
+      new_session.authenticatable
+    end
+
+    # Authenticate a record using the session. Looks for a session key corresponding to
+    # the _authenticatable_class_. If found try to find it in the database.
+    # @param authenticatable_class [ActiveRecord::Base] any Model connected to
+    #   passwordless. (e.g - _User_ or _Admin_).
+    # @return [ActiveRecord::Base|nil] an instance of Model found by id stored
+    #   in cookies.encrypted or nil if nothing is found.
+    # @see ModelHelpers#passwordless_with
+    def authenticate_by_session(authenticatable_class)
+      return unless find_passwordless_session_for(authenticatable_class)&.available?
+      find_passwordless_session_for(authenticatable_class).authenticatable
     end
 
-    # Signs in user by assigning their id to a permanent cookie.
-    # @param authenticatable [ActiveRecord::Base] Instance of Model to sign in
-    #   (e.g - @user when @user = User.find(id: some_id)).
+    # Signs in session
+    # @param authenticatable [Passwordless::Session] Instance of {Passwordless::Session}
+    # to sign in
     # @return [ActiveRecord::Base] the record that is passed in.
-    def sign_in(authenticatable)
-      key = cookie_name(authenticatable.class)
-      cookies.encrypted.permanent[key] = {value: authenticatable.id}
-      authenticatable
+    def sign_in(record)
+      passwordless_session =
+        if record.is_a?(Passwordless::Session)
+          record
+        else
+          warn "Passwordless::ControllerHelpers#sign_in with authenticatable " \
+            "(`#{record.class}') is deprecated. Falling back to creating a " \
+            "new Passwordless::Session"
+          build_passwordless_session(record).tap { |s| s.save! }
+        end
+
+      passwordless_session.claim! if Passwordless.restrict_token_reuse
+
+      raise Passwordless::Errors::SessionTimedOutError if passwordless_session.timed_out?
+
+      key = session_key(passwordless_session.authenticatable_type)
+      session[key] = passwordless_session.id
+
+      if record.is_a?(Passwordless::Session)
+        passwordless_session
+      else
+        passwordless_session.authenticatable
+      end
     end
 
-    # Signs out user by deleting their encrypted cookie.
-    # @param (see #authenticate_by_cookie)
+    # Signs out user by deleting the session key.
+    # @param (see #authenticate_by_session)
     # @return [boolean] Always true
     def sign_out(authenticatable_class)
+      # Deprecated - cookies
       key = cookie_name(authenticatable_class)
       cookies.encrypted.permanent[key] = {value: nil}
       cookies.delete(key)
+      # /deprecated
+
+      reset_session
       true
     end
 
     # Saves request.original_url as the redirect location for a
     # passwordless Model.
-    # @param (see #authenticate_by_cookie)
+    # @param (see #authenticate_by_session)
     # @return [String] the redirect url that was just saved.
     def save_passwordless_redirect_location!(authenticatable_class)
-      session[session_key(authenticatable_class)] = request.original_url
+      session[redirect_session_key(authenticatable_class)] = request.original_url
     end
 
     # Resets the redirect_location to root_path by deleting the redirect_url
     # from session.
-    # @param (see #authenticate_by_cookie)
+    # @param (see #authenticate_by_session)
     # @return [String, nil] the redirect url that was just deleted,
     #   or nil if no url found for given Model.
     def reset_passwordless_redirect_location!(authenticatable_class)
-      session.delete session_key(authenticatable_class)
+      session.delete(redirect_session_key(authenticatable_class))
+    end
+
+    def session_key(authenticatable_class)
+      :"passwordless_session_id--#{authenticatable_class_parameterized(authenticatable_class)}"
+    end
+
+    def redirect_session_key(authenticatable_class)
+      :"passwordless_prev_location--#{authenticatable_class_parameterized(authenticatable_class)}"
     end
 
     private
 
-    def session_key(authenticatable_class)
-      :"passwordless_prev_location--#{authenticatable_class.base_class}"
+    def authenticatable_class_parameterized(authenticatable_class)
+      if authenticatable_class.is_a?(String)
+        authenticatable_class = authenticatable_class.constantize
+      end
+
+      authenticatable_class.base_class.to_s.parameterize
     end
 
+    # Deprecated
     def cookie_name(authenticatable_class)
       :"#{authenticatable_class.base_class.to_s.underscore}_id"
     end

data/lib/passwordless/errors.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Passwordless
+  module Errors
+    # Raise this exception when a session is expired.
+    class SessionTimedOutError < StandardError; end
+
+    # Raise this exception when the token has been previously claimed
+    class TokenAlreadyClaimedError < StandardError; end
+  end
+end

data/lib/passwordless/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Passwordless
-  VERSION = '0.7.0' # :nodoc:
+  VERSION = "0.10.0" # :nodoc:
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordless
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Mikkel Malmberg
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-03-06 00:00:00.000000000 Z
+date: 2020-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.6
+        version: 1.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.6
+        version: 1.4.1
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -80,7 +80,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - mikkel@brnbw.com
 executables: []
@@ -104,6 +104,7 @@ files:
 - lib/passwordless.rb
 - lib/passwordless/controller_helpers.rb
 - lib/passwordless/engine.rb
+- lib/passwordless/errors.rb
 - lib/passwordless/model_helpers.rb
 - lib/passwordless/router_helpers.rb
 - lib/passwordless/url_safe_base_64_generator.rb
@@ -112,7 +113,7 @@ homepage: https://github.com/mikker/passwordless
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -127,8 +128,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Add authentication to your app without all the ickyness of passwords.
 test_files: []