passwordless 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb17c0cc08c9dd0062b47d67a470adeee2d0e7dc618e48967180eea61796f47a
-  data.tar.gz: 870dd7a03e131344f20bdee24ab614e1ef66ff3fe8faf9d4bd05bb08adce032d
+  metadata.gz: 5f6c0006a3a1aa712922ef4c48b3afc4b5f1b722d9f37f624b367cb2e66ea895
+  data.tar.gz: 2c06ad86a47e11757a978fd879b7ab23e888589ecc1e734740886f148d1abb5a
 SHA512:
-  metadata.gz: e43144bae67ad300ae753fe131ec6b09fcf997c975e2fcb9a819d457fb0178797d03b4e7278c3c92c4cc18664c54c5231de428be7f6fc63c05a878516e628f7a
-  data.tar.gz: 5aeca84a612458d6e2dce0b0e9335d80a9f4e4af730540a148c3ef0ed6056417a33b444bfc17c19adf06744a7a2fa38dccb82189206bf2c86354352540b41e7e
+  metadata.gz: 1cecfce2bcc7a6427cd037123aa4733c034126f2f55d47445d8439144db325aa00796cadfa9da40daa429a54073a7fc5c4e61d6f088fd2c8feb8fc653cd593fb
+  data.tar.gz: 673f6c504efd94c5f01f2bd073c427012e91d4c6bacf1a113cdc851b1bcb083183a7634ded733ac22f307e9ef4ccf4fbd2a30919dddce5ce0683e3c61b04380e

data/README.md

@@ -16,6 +16,7 @@ Add authentication to your Rails app without all the icky-ness of passwords.
 * [Usage](#usage)
      * [Getting the current user, restricting access, the usual](#getting-the-current-user-restricting-access-the-usual)
      * [Providing your own templates](#providing-your-own-templates)
+     * [Claming tokens](#claiming-tokens)
      * [Overrides](#overrides)
      * [Registering new users](#registering-new-users)
      * [Generating tokens](#generating-tokens)
@@ -43,7 +44,7 @@ $ bin/rails passwordless:install:migrations
 
 ## Usage
 
-Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one, eg.:
+Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one:
 
 ```
 $ bin/rails generate model User email
@@ -71,7 +72,7 @@ end
 
 ### Getting the current user, restricting access, the usual
 
-Passwordless doesn't give you `current_user` automatically -- it's dead easy to add it though:
+Passwordless doesn't give you `current_user` automatically. Here's how you could add it:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -84,7 +85,7 @@ class ApplicationController < ActionController::Base
   private
 
   def current_user
-    @current_user ||= authenticate_by_cookie(User)
+    @current_user ||= authenticate_by_session(User)
   end
 
   def require_user!
@@ -121,36 +122,20 @@ app/views/passwordless/mailer/magic_link.text.erb
 
 See [the bundled views](https://github.com/mikker/passwordless/tree/master/app/views/passwordless).
 
-### Overrides
-
-By default `passwordless` uses the `passwordless_with` column you specify in the model to case insensitively fetch the resource during authentication. You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be supplied with the downcased email and should return an `ActiveRecord` instance of the model.
-
-Example time:
-
-Let's say we would like to fetch the record and if it doesn't exist, create automatically.
-
-```ruby
-class User < ApplicationRecord
-  def self.fetch_resource_for_passwordless(email)
-    find_or_create_by(email: email)
-  end
-end
-```
-
 ### Registering new users
 
-Because your `User` record is like any other record, you create one like you normally would. Passwordless provides a helper method you can use to sign in the created user after it is saved like so:
+Because your `User` record is like any other record, you create one like you normally would. Passwordless provides a helper method to sign in the created user after it is saved – like so:
 
 ```ruby
 class UsersController < ApplicationController
   include Passwordless::ControllerHelpers # <-- This!
-  #  (unless you already have it in your ApplicationController)
+  # (unless you already have it in your ApplicationController)
 
   def create
     @user = User.new user_params
 
     if @user.save
-      sign_in @user # <-- And this!
+      sign_in @user # <-- This!
       redirect_to @user, flash: {notice: 'Welcome!'}
     else
       render :new
@@ -163,7 +148,7 @@ end
 
 ### Generating tokens
 
-By default Passwordless generates tokens using Rails' `SecureRandom.urlsafe_base64` but you can change that by setting `Passwordless.token_generator` to something else that responds to `call(session)` eg.:
+By default Passwordless generates tokens using `SecureRandom.urlsafe_base64` but you can change that by setting `Passwordless.token_generator` to something else that responds to `call(session)` eg.:
 
 ```ruby
 Passwordless.token_generator = -> (session) {
@@ -241,7 +226,7 @@ By default, magic link will send by email. You can customize this method. For ex
 config/initializers/passwordless.rb
 
 ```
-Passwordless.after_session_save = lambda do |session|
+Passwordless.after_session_save = lambda do |session, request|
   # Default behavior is
   # Mailer.magic_link(session).deliver_now
 
@@ -252,6 +237,55 @@ end
 
 You can access user model through authenticatable.
 
+### Claiming tokens
+
+Opt-in for marking tokens as `claimed` so they can only be used once.
+
+config/initializers/passwordless.rb
+
+```ruby
+# Default is `false`
+Passwordless.restrict_token_reuse = true
+```
+
+#### Upgrading an existing Rails app
+
+The simplest way to update your sessions table is with a single migration:
+
+<details>
+<summary>Example migration</summary>
+
+```bash
+bin/rails generate migration add_claimed_at_to_passwordless_sessions
+```
+
+```ruby
+class AddClaimedAtToPasswordlessSessions < ActiveRecord::Migration[5.2]
+  def change
+    add_column :passwordless_sessions, :claimed_at, :datetime
+  end
+end
+
+```
+</details>
+
+### Overrides
+
+By default `passwordless` uses the `passwordless_with` column to _case insensitively_ fetch the resource.
+
+You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be called with the downcased email and should return an `ActiveRecord` instance of the model.
+
+Example time:
+
+Let's say we would like to fetch the record and if it doesn't exist, create automatically.
+
+```ruby
+class User < ApplicationRecord
+  def self.fetch_resource_for_passwordless(email)
+    find_or_create_by(email: email)
+  end
+end
+```
 
 ### E-mail security
 
@@ -261,6 +295,10 @@ But be aware that when everyone authenticates via emails you send, the way you s
 
 Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.
 
+# Alternatives
+
+- [OTP JWT](https://github.com/stas/otp-jwt) -- Passwordless JSON Web Tokens
+
 # License
 
 MIT

data/app/controllers/passwordless/sessions_controller.rb

@@ -5,9 +5,6 @@ require "bcrypt"
 module Passwordless
   # Controller for managing Passwordless sessions
   class SessionsController < ApplicationController
-    # Raise this exception when a session is expired.
-    class SessionTimedOutError < StandardError; end
-
     include ControllerHelpers
 
     # get '/sign_in'
@@ -26,7 +23,11 @@ module Passwordless
       session = build_passwordless_session(find_authenticatable)
 
       if session.save
-        Passwordless.after_session_save.call(session)
+        if Passwordless.after_session_save.arity == 2
+          Passwordless.after_session_save.call(session, request)
+        else
+          Passwordless.after_session_save.call(session)
+        end
       end
 
       render
@@ -42,20 +43,17 @@ module Passwordless
       # Make it "slow" on purpose to make brute-force attacks more of a hassle
       BCrypt::Password.create(params[:token])
 
-      session = find_session
-      raise SessionTimedOutError if session.timed_out?
-
-      sign_in session.authenticatable
+      destination =
+        Passwordless.redirect_back_after_sign_in &&
+        reset_passwordless_redirect_location!(User)
 
-      redirect_enabled = Passwordless.redirect_back_after_sign_in
-      destination = reset_passwordless_redirect_location!(User)
+      sign_in passwordless_session
 
-      if redirect_enabled && destination
-        redirect_to destination
-      else
-        redirect_to main_app.root_path
-      end
-    rescue SessionTimedOutError
+      redirect_to destination || main_app.root_path
+    rescue Errors::TokenAlreadyClaimedError
+      flash[:error] = I18n.t(".passwordless.sessions.create.token_claimed")
+      redirect_to main_app.root_path
+    rescue Errors::SessionTimedOutError
       flash[:error] = I18n.t(".passwordless.sessions.create.session_expired")
       redirect_to main_app.root_path
     end
@@ -98,8 +96,8 @@ module Passwordless
       end
     end
 
-    def find_session
-      Session.find_by!(
+    def passwordless_session
+      @passwordless_session ||= Session.find_by!(
         authenticatable_type: authenticatable_classname,
         token: params[:token]
       )

data/app/models/passwordless/session.rb

@@ -18,10 +18,17 @@ module Passwordless
 
     before_validation :set_defaults
 
-    scope :valid, lambda {
+    scope :available, lambda {
       where("timeout_at > ?", Time.current)
     }
 
+    def self.valid
+      available
+    end
+    class << self
+      deprecate :valid, deprecator: SessionValidDeprecation
+    end
+
     def expired?
       expires_at <= Time.current
     end
@@ -30,6 +37,19 @@ module Passwordless
       timeout_at <= Time.current
     end
 
+    def claim!
+      raise Errors::TokenAlreadyClaimedError if claimed?
+      touch(:claimed_at)
+    end
+
+    def claimed?
+      !!claimed_at
+    end
+
+    def available?
+      !timed_out? && !expired?
+    end
+
     private
 
     def set_defaults

data/config/locales/en.yml

@@ -5,8 +5,9 @@ en:
       create:
         session_expired: 'Your session has expired, please sign in again.'
         email_sent_if_record_found: "If we found you in the system, we've sent you an email."
+        token_claimed: "This link has already been used, try requesting the link again"
       new:
         submit: 'Send magic link'
     mailer:
-      subject: "Your magic link ✨'"
+      subject: "Your magic link ✨"
       magic_link: "Here's your link: %{link}"

data/db/migrate/20171104221735_create_passwordless_sessions.rb

@@ -10,6 +10,7 @@ class CreatePasswordlessSessions < ActiveRecord::Migration[5.1]
       )
       t.datetime :timeout_at, null: false
       t.datetime :expires_at, null: false
+      t.datetime :claimed_at
       t.text :user_agent, null: false
       t.string :remote_addr, null: false
       t.string :token, null: false

data/lib/passwordless.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support"
+require "passwordless/errors"
 require "passwordless/engine"
 require "passwordless/url_safe_base_64_generator"
 
@@ -7,11 +9,17 @@ require "passwordless/url_safe_base_64_generator"
 module Passwordless
   mattr_accessor(:default_from_address) { "CHANGE_ME@example.com" }
   mattr_accessor(:token_generator) { UrlSafeBase64Generator.new }
+  mattr_accessor(:restrict_token_reuse) { false }
   mattr_accessor(:redirect_back_after_sign_in) { true }
   mattr_accessor(:mounted_as) { :configured_when_mounting_passwordless }
 
   mattr_accessor(:expires_at) { lambda { 1.year.from_now } }
   mattr_accessor(:timeout_at) { lambda { 1.hour.from_now } }
 
-  mattr_accessor(:after_session_save) { lambda { |session| Mailer.magic_link(session).deliver_now } }
+  mattr_accessor(:after_session_save) do
+    lambda { |session, _request| Mailer.magic_link(session).deliver_now }
+  end
+
+  CookieDeprecation = ActiveSupport::Deprecation.new("0.9", "passwordless")
+  SessionValidDeprecation = ActiveSupport::Deprecation.new("0.9", "passwordless")
 end

data/lib/passwordless/controller_helpers.rb

@@ -3,6 +3,12 @@
 module Passwordless
   # Helpers to work with Passwordless sessions from controllers
   module ControllerHelpers
+    # Returns the {Passwordless::Session} (if set) from the session.
+    # @return [Session, nil]
+    def find_passwordless_session_for(authenticatable_class)
+      Passwordless::Session.find_by(id: session[session_key(authenticatable_class)])
+    end
+
     # Build a new Passwordless::Session from an _authenticatable_ record.
     # Set's `user_agent` and `remote_addr` from Rails' `request`.
     # @param authenticatable [ActiveRecord::Base] Instance of an
@@ -17,6 +23,7 @@ module Passwordless
       end
     end
 
+    # @deprecated Use {ControllerHelpers#authenticate_by_session}
     # Authenticate a record using cookies. Looks for a cookie corresponding to
     # the _authenticatable_class_. If found try to find it in the database.
     # @param authenticatable_class [ActiveRecord::Base] any Model connected to
@@ -27,54 +34,119 @@ module Passwordless
     def authenticate_by_cookie(authenticatable_class)
       key = cookie_name(authenticatable_class)
       authenticatable_id = cookies.encrypted[key]
-      return unless authenticatable_id
 
-      authenticatable_class.find_by(id: authenticatable_id)
+      return authenticatable_class.find_by(id: authenticatable_id) if authenticatable_id
+
+      authenticate_by_session(authenticatable_class)
+    end
+    deprecate :authenticate_by_cookie, deprecator: CookieDeprecation
+
+    def upgrade_passwordless_cookie(authenticatable_class)
+      key = cookie_name(authenticatable_class)
+
+      return unless authenticatable_id = cookies.encrypted[key]
+      cookies.encrypted.permanent[key] = {value: nil}
+      cookies.delete(key)
+
+      return unless record = authenticatable_class.find_by(id: authenticatable_id)
+      new_session = build_passwordless_session(record).tap { |s| s.save! }
+
+      sign_in new_session
+
+      new_session.authenticatable
+    end
+
+    # Authenticate a record using the session. Looks for a session key corresponding to
+    # the _authenticatable_class_. If found try to find it in the database.
+    # @param authenticatable_class [ActiveRecord::Base] any Model connected to
+    #   passwordless. (e.g - _User_ or _Admin_).
+    # @return [ActiveRecord::Base|nil] an instance of Model found by id stored
+    #   in cookies.encrypted or nil if nothing is found.
+    # @see ModelHelpers#passwordless_with
+    def authenticate_by_session(authenticatable_class)
+      return unless find_passwordless_session_for(authenticatable_class)&.available?
+      find_passwordless_session_for(authenticatable_class).authenticatable
     end
 
-    # Signs in user by assigning their id to a permanent cookie.
-    # @param authenticatable [ActiveRecord::Base] Instance of Model to sign in
-    #   (e.g - @user when @user = User.find(id: some_id)).
+    # Signs in session
+    # @param authenticatable [Passwordless::Session] Instance of {Passwordless::Session}
+    # to sign in
     # @return [ActiveRecord::Base] the record that is passed in.
-    def sign_in(authenticatable)
-      key = cookie_name(authenticatable.class)
-      cookies.encrypted.permanent[key] = {value: authenticatable.id}
-      authenticatable
+    def sign_in(record)
+      passwordless_session =
+        if record.is_a?(Passwordless::Session)
+          record
+        else
+          warn "Passwordless::ControllerHelpers#sign_in with authenticatable " \
+            "(`#{record.class}') is deprecated. Falling back to creating a " \
+            "new Passwordless::Session"
+          build_passwordless_session(record).tap { |s| s.save! }
+        end
+
+      passwordless_session.claim! if Passwordless.restrict_token_reuse
+
+      raise Passwordless::Errors::SessionTimedOutError if passwordless_session.timed_out?
+
+      key = session_key(passwordless_session.authenticatable_type)
+      session[key] = passwordless_session.id
+
+      if record.is_a?(Passwordless::Session)
+        passwordless_session
+      else
+        passwordless_session.authenticatable
+      end
     end
 
-    # Signs out user by deleting their encrypted cookie.
-    # @param (see #authenticate_by_cookie)
+    # Signs out user by deleting the session key.
+    # @param (see #authenticate_by_session)
     # @return [boolean] Always true
     def sign_out(authenticatable_class)
+      # Deprecated - cookies
       key = cookie_name(authenticatable_class)
       cookies.encrypted.permanent[key] = {value: nil}
       cookies.delete(key)
+      # /deprecated
+
+      reset_session
       true
     end
 
     # Saves request.original_url as the redirect location for a
     # passwordless Model.
-    # @param (see #authenticate_by_cookie)
+    # @param (see #authenticate_by_session)
     # @return [String] the redirect url that was just saved.
     def save_passwordless_redirect_location!(authenticatable_class)
-      session[session_key(authenticatable_class)] = request.original_url
+      session[redirect_session_key(authenticatable_class)] = request.original_url
     end
 
     # Resets the redirect_location to root_path by deleting the redirect_url
     # from session.
-    # @param (see #authenticate_by_cookie)
+    # @param (see #authenticate_by_session)
     # @return [String, nil] the redirect url that was just deleted,
     #   or nil if no url found for given Model.
     def reset_passwordless_redirect_location!(authenticatable_class)
-      session.delete session_key(authenticatable_class)
+      session.delete(redirect_session_key(authenticatable_class))
+    end
+
+    def session_key(authenticatable_class)
+      :"passwordless_session_id--#{authenticatable_class_parameterized(authenticatable_class)}"
     end
 
     private
 
-    def session_key(authenticatable_class)
-      :"passwordless_prev_location--#{authenticatable_class.base_class}"
+    def authenticatable_class_parameterized(authenticatable_class)
+      if authenticatable_class.is_a?(String)
+        authenticatable_class = authenticatable_class.constantize
+      end
+
+      authenticatable_class.base_class.to_s.parameterize
+    end
+
+    def redirect_session_key(authenticatable_class)
+      :"passwordless_prev_location--#{authenticatable_class_parameterized(authenticatable_class)}"
     end
 
+    # Deprecated
     def cookie_name(authenticatable_class)
       :"#{authenticatable_class.base_class.to_s.underscore}_id"
     end

data/lib/passwordless/errors.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Passwordless
+  module Errors
+    # Raise this exception when a session is expired.
+    class SessionTimedOutError < StandardError; end
+
+    # Raise this exception when the token has been previously claimed
+    class TokenAlreadyClaimedError < StandardError; end
+  end
+end

data/lib/passwordless/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Passwordless
-  VERSION = '0.7.0' # :nodoc:
+  VERSION = "0.8.0" # :nodoc:
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordless
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Mikkel Malmberg
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-06 00:00:00.000000000 Z
+date: 2019-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.6
+        version: 1.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.6
+        version: 1.4.1
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -104,6 +104,7 @@ files:
 - lib/passwordless.rb
 - lib/passwordless/controller_helpers.rb
 - lib/passwordless/engine.rb
+- lib/passwordless/errors.rb
 - lib/passwordless/model_helpers.rb
 - lib/passwordless/router_helpers.rb
 - lib/passwordless/url_safe_base_64_generator.rb
@@ -127,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.4
 signing_key: 
 specification_version: 4
 summary: Add authentication to your app without all the ickyness of passwords.