passwordless 0.8.2 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b19e22b9a7152b299c8f639339709ebeaa3616ecfd7a85f461af205d8f6ad635
-  data.tar.gz: 8858c326d1457db832e08909957948d49d525bde1d45effa52e4d8e9b22f0374
+  metadata.gz: 906aa2b5a4bf5184d18d837c68565897bbeaa110550e875f44aaa71c8fee4c01
+  data.tar.gz: b0155e0411c6f1ffca21b22f5f38da4f656c61770280bb3f0afa9ba9d1f6f737
 SHA512:
-  metadata.gz: 146b741cd502a702a10ed5169575eb5d6e9c47b0be8469e74b4e2369d2ecb82c1845624afe04aac2cac4e701deb6ea726e916dc1019007bdacd48e510272c9b7
-  data.tar.gz: f95c455c20f127c1a86c0df6763afdf2f90312afd429b81f96b8dd1e0901ac17c7cb3e8c1ff38d858d5208149eedf8257eff0b1e40809aa58c2189df58d1f90b
+  metadata.gz: 19718426b946b054f327c13c00570a3ded2aba29d06f8b70cd446185ca2b92f969aee23faab8bda77a9f66f54aae6b7b493193d18f696ceaca427ec624b8d51c
+  data.tar.gz: 95dbb1810540c40de5e1a828d61477f0786698e79ea47a5c65b5efba23108791aefa9c2a747550b8e46e56256f0281ad61d1b34ceb06f13f28d8063affde4469

data/README.md

@@ -14,17 +14,19 @@ Add authentication to your Rails app without all the icky-ness of passwords.
 
 * [Installation](#installation)
 * [Usage](#usage)
-     * [Getting the current user, restricting access, the usual](#getting-the-current-user-restricting-access-the-usual)
-     * [Providing your own templates](#providing-your-own-templates)
-     * [Claming tokens](#claiming-tokens)
-     * [Overrides](#overrides)
-     * [Registering new users](#registering-new-users)
-     * [Generating tokens](#generating-tokens)
-     * [Token and Session Expiry](#token-and-session-expiry)
-     * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
-     * [URLs and links](#urls-and-links)
-     * [Customize the way to send magic link](#customize-the-way-to-send-magic-link)
-     * [E-mail security](#e-mail-security)
+  * [Getting the current user, restricting access, the usual](#getting-the-current-user-restricting-access-the-usual)
+  * [Providing your own templates](#providing-your-own-templates)
+  * [Registering new users](#registering-new-users)
+  * [URLs and links](#urls-and-links)
+  * [Customize the way to send magic link](#customize-the-way-to-send-magic-link)
+  * [Generate your own magic links](#generate-your-own-magic-links)
+  * [Overrides](#overrides)
+* [Configuration](#configuration)
+  * [Customising token generation](#generating-tokens)
+  * [Token and Session Expiry](#token-and-session-expiry)
+  * [Redirecting back after sign-in](#redirecting-back-after-sign-in)
+  * [Claiming tokens](#claiming-tokens)
+* [E-mail security](#e-mail-security)
 * [License](#license)
 
 ## Installation
@@ -90,7 +92,7 @@ class ApplicationController < ActionController::Base
 
   def require_user!
     return if current_user
-    redirect_to root_path, flash: {error: 'You are not worthy!'}
+    redirect_to root_path, flash: { error: 'You are not worthy!' }
   end
 end
 ```
@@ -136,7 +138,7 @@ class UsersController < ApplicationController
 
     if @user.save
       sign_in @user # <-- This!
-      redirect_to @user, flash: {notice: 'Welcome!'}
+      redirect_to @user, flash: { notice: 'Welcome!' }
     else
       render :new
     end
@@ -146,7 +148,97 @@ class UsersController < ApplicationController
 end
 ```
 
-### Generating tokens
+### URLs and links
+
+By default, Passwordless uses the resource name given to `passwordless_for` to generate its routes and helpers.
+
+```ruby
+passwordless_for :users
+  # <%= users.sign_in_path %> # => /users/sign_in
+
+passwordless_for :users, at: '/', as: :auth
+  # <%= auth.sign_in_path %> # => /sign_in
+```
+
+Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
+
+### Customize the way to send magic link
+
+By default, magic link will send by email. You can customize this method. For example, you can send magic link via SMS.
+
+config/initializers/passwordless.rb
+
+```
+Passwordless.after_session_save = lambda do |session, request|
+  # Default behavior is
+  # Passwordless::Mailer.magic_link(session).deliver_now
+
+  # You can change behavior to do something with session model. For example,
+  # session.authenticatable.send_sms
+end
+```
+
+You can access user model through authenticatable.
+
+### Generate your own magic links
+
+Currently there is not an officially supported way to generate your own magic links to send in your own mailers.
+
+However, you can accomplish this with the following snippet of code.
+
+```
+session = Passwordless::Session.new({
+  authenticatable: @manager,
+  user_agent: 'Command Line',
+  remote_addr: 'unknown',
+})
+session.save!
+@magic_link = send(Passwordless.mounted_as).token_sign_in_url(session.token)
+```
+
+You can further customize this URL by specifying the destination path to be redirected to after the user has logged in. You can do this by adding the `destination_path` query parameter to the end of the URL. For example
+```
+@magic_link = "#{@magic_link}?destination_path=/your-custom-path"
+```
+
+### Overrides
+
+By default `passwordless` uses the `passwordless_with` column to _case insensitively_ fetch the resource.
+
+You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be called with the downcased email and should return an `ActiveRecord` instance of the model.
+
+Example time:
+
+Let's say we would like to fetch the record and if it doesn't exist, create automatically.
+
+```ruby
+class User < ApplicationRecord
+  def self.fetch_resource_for_passwordless(email)
+    find_or_create_by(email: email)
+  end
+end
+```
+
+## Configuration
+
+The following configuration parameters are supported. It is recommended to set these in `initializers/passwordless.rb`. The default values are shown below.
+
+```ruby
+Passwordless.default_from_address = "CHANGE_ME@example.com"
+Passwordless.token_generator = UrlSafeBase64Generator.new # Used to generate magic link tokens.
+Passwordless.restrict_token_reuse = false # By default a magic link token can be used multiple times.
+Passwordless.redirect_back_after_sign_in = true # When enabled the user will be redirected to their previous page, or a page specified by the `destination_path` query parameter, if available.
+
+Passwordless.expires_at = lambda { 1.year.from_now } # How long until a magic link expires.
+Passwordless.timeout_at = lambda { 1.hour.from_now } # How long until a passwordless session expires.
+
+# Default redirection paths
+Passwordless.success_redirect_path = '/' # When a user succeeds in logging in. 
+Passwordless.failure_redirect_path = '/' # When a a login is failed for any reason.
+Passwordless.sign_out_redirect_path = '/' # When a user logs out.
+```
+
+### Customizing token generation
 
 By default Passwordless generates tokens using `SecureRandom.urlsafe_base64` but you can change that by setting `Passwordless.token_generator` to something else that responds to `call(session)` eg.:
 
@@ -204,39 +296,6 @@ end
 
 This can be turned off with `Passwordless.redirect_back_after_sign_in = false` but if you just don't save the previous destination, you'll be fine.
 
-### URLs and links
-
-By default, Passwordless uses the resource name given to `passwordless_for` to generate its routes and helpers.
-
-```ruby
-passwordless_for :users
-  # <%= users.sign_in_path %> # => /users/sign_in
-
-passwordless_for :users, at: '/', as: :auth
-  # <%= auth.sign_in_path %> # => /sign_in
-```
-
-Also be sure to [specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
-
-
-### Customize the way to send magic link
-
-By default, magic link will send by email. You can customize this method. For example, you can send magic link via SMS.
-
-config/initializers/passwordless.rb
-
-```
-Passwordless.after_session_save = lambda do |session, request|
-  # Default behavior is
-  # Passwordless::Mailer.magic_link(session).deliver_now
-
-  # You can change behavior to do something with session model. For example,
-  # session.authenticatable.send_sms
-end
-```
-
-You can access user model through authenticatable.
-
 ### Claiming tokens
 
 Opt-in for marking tokens as `claimed` so they can only be used once.
@@ -269,25 +328,7 @@ end
 ```
 </details>
 
-### Overrides
-
-By default `passwordless` uses the `passwordless_with` column to _case insensitively_ fetch the resource.
-
-You can override this and provide your own customer fetcher by defining a class method `fetch_resource_for_passwordless` in your passwordless model. The method will be called with the downcased email and should return an `ActiveRecord` instance of the model.
-
-Example time:
-
-Let's say we would like to fetch the record and if it doesn't exist, create automatically.
-
-```ruby
-class User < ApplicationRecord
-  def self.fetch_resource_for_passwordless(email)
-    find_or_create_by(email: email)
-  end
-end
-```
-
-### E-mail security
+## E-mail security
 
 There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.
 

data/app/controllers/passwordless/sessions_controller.rb

@@ -42,20 +42,15 @@ module Passwordless
     def show
       # Make it "slow" on purpose to make brute-force attacks more of a hassle
       BCrypt::Password.create(params[:token])
-
-      destination =
-        Passwordless.redirect_back_after_sign_in &&
-        reset_passwordless_redirect_location!(authenticatable_class)
-
       sign_in passwordless_session
 
-      redirect_to destination || main_app.root_path
+      redirect_to passwordless_success_redirect_path
     rescue Errors::TokenAlreadyClaimedError
       flash[:error] = I18n.t(".passwordless.sessions.create.token_claimed")
-      redirect_to main_app.root_path
+      redirect_to passwordless_failure_redirect_path
     rescue Errors::SessionTimedOutError
       flash[:error] = I18n.t(".passwordless.sessions.create.session_expired")
-      redirect_to main_app.root_path
+      redirect_to passwordless_failure_redirect_path
     end
 
     # match '/sign_out', via: %i[get delete].
@@ -63,7 +58,31 @@ module Passwordless
     # @see ControllerHelpers#sign_out
     def destroy
       sign_out authenticatable_class
-      redirect_to main_app.root_path
+      redirect_to passwordless_sign_out_redirect_path
+    end
+
+    protected
+
+    def passwordless_sign_out_redirect_path
+      Passwordless.sign_out_redirect_path
+    end
+
+    def passwordless_failure_redirect_path
+      Passwordless.failure_redirect_path
+    end
+
+    def passwordless_query_redirect_path
+      query_redirect_uri = URI(params[:destination_path])
+      query_redirect_uri.to_s if query_redirect_uri.host.nil? || query_redirect_uri.host == URI(request.url).host
+    rescue URI::InvalidURIError, ArgumentError
+      nil
+    end
+
+    def passwordless_success_redirect_path
+      return Passwordless.success_redirect_path unless Passwordless.redirect_back_after_sign_in
+
+      session_redirect_url = reset_passwordless_redirect_location!(authenticatable_class)
+      passwordless_query_redirect_path || session_redirect_url || Passwordless.success_redirect_path
     end
 
     private

data/lib/passwordless.rb

@@ -15,6 +15,9 @@ module Passwordless
 
   mattr_accessor(:expires_at) { lambda { 1.year.from_now } }
   mattr_accessor(:timeout_at) { lambda { 1.hour.from_now } }
+  mattr_accessor(:success_redirect_path) { "/" }
+  mattr_accessor(:failure_redirect_path) { "/" }
+  mattr_accessor(:sign_out_redirect_path) { "/" }
 
   mattr_accessor(:after_session_save) do
     lambda { |session, _request| Mailer.magic_link(session).deliver_now }

data/lib/passwordless/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Passwordless
-  VERSION = "0.8.2" # :nodoc:
+  VERSION = "0.9.0" # :nodoc:
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordless
 version: !ruby/object:Gem::Version
-  version: 0.8.2
+  version: 0.9.0
 platform: ruby
 authors:
 - Mikkel Malmberg
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-30 00:00:00.000000000 Z
+date: 2019-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails