passwordless 1.1.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 399b4c9ace35d6780f2f22cf50c47c2717ead7c9b6b999d64120b7e574b465ec
-  data.tar.gz: 5e7e35e3eab146d5e93c7588c49552fb3f46d27ed27e183ba7367e755ecfccfd
+  metadata.gz: 2242a4b95f1a99d5be1b889539dc6dd9f1eda711ce616f3b090f12dd68337254
+  data.tar.gz: afd9ea1fd2d3b3f15f10a4772d231c53adfd524e22de00d833a9183b34d69397
 SHA512:
-  metadata.gz: d9fe89a70ba2f35cc417f03f5ca23a9a1bb1bc967d3c80828aba6a60a643e8de2d880f7bb038e1f17b60e80f250117df5ad41df1a15c96c9dcfa8317767ddd2f
-  data.tar.gz: 315a2b802c1b21cf08ad61003c6b15d2d8eedfcfb7c440c58fbc7991bd73c254261dc3e7535d25469a01522e8476cb0ca9fdede7af3d15f0eaed14ff1b80ce2a
+  metadata.gz: 9b2ceb4c68972744e10ac6dd56e2e863b5e229bb31053b7159a16c020a2cfa55ffe1affcbef92ca52ee03de79d4d675cb5b3f4340e1c888e064e9ab246f3e455
+  data.tar.gz: 7dd102d25dd4cbb60ab73d30732f78a6cd1d6757e345e3b304c9b1abe4394b6b1d883c1368bd7eaa12ecee986ecdfabf3d82cea081048694807388fc5a1bfd69

data/README.md

@@ -25,26 +25,21 @@ See [Upgrading to Passwordless 1.0](docs/upgrading_to_1_0.md) for more details.
 
 ## Usage
 
-Passwordless creates a single model called `Passwordless::Session`. It doesn't come with its own `User` model, it expects you to create one:
+Passwordless creates a single model called `Passwordless::Session`, so it doesn't come with its own user model. Instead, it expects you to provide one, with an email field in place. If you don't yet have a user model, check out the wiki on [creating the user model](https://github.com/mikker/passwordless/wiki/Creating-the-user-model).
 
-```sh
-$ bin/rails generate model User email
-```
-
-Then specify which field on your `User` record is the email field with:
+Enable Passwordless on your user model by pointing it to the email field:
 
 ```ruby
 class User < ApplicationRecord
-  validates :email,
-            presence: true,
-            uniqueness: { case_sensitive: false },
-            format: { with: URI::MailTo::EMAIL_REGEXP }
+  # your other code..
+
+  passwordless_with :email # <-- here! this needs to be a column in `users` table
 
-  passwordless_with :email # <-- here!
+  # more of your code..
 end
 ```
 
-Finally, mount the engine in your routes:
+Then mount the engine in your routes:
 
 ```ruby
 Rails.application.routes.draw do
@@ -146,7 +141,13 @@ passwordless_for :users, at: '/', as: :auth
 ```
 
 Also be sure to
-[specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views).
+[specify ActionMailer's `default_url_options.host`](http://guides.rubyonrails.org/action_mailer_basics.html#generating-urls-in-action-mailer-views) and tell the routes as well:
+
+```ruby
+# config/application.rb for example:
+config.action_mailer.default_url_options = {host: "www.example.com"}
+routes.default_url_options[:host] ||= "www.example.com"
+```
 
 ## Configuration
 
@@ -157,6 +158,7 @@ The default values are shown below. It's recommended to only include the ones th
 ```ruby
 Passwordless.configure do |config|
   config.default_from_address = "CHANGE_ME@example.com"
+  config.parent_controller = "ApplicationController"
   config.parent_mailer = "ActionMailer::Base"
   config.restrict_token_reuse = false # Can a token/link be used multiple times?
   config.token_generator = Passwordless::ShortTokenGenerator.new # Used to generate magic link tokens.
@@ -169,6 +171,8 @@ Passwordless.configure do |config|
   config.success_redirect_path = '/' # After a user successfully signs in
   config.failure_redirect_path = '/' # After a sign in fails
   config.sign_out_redirect_path = '/' # After a user signs out
+
+  config.paranoid = false # Display email sent notice even when the resource is not found.
 end
 ```
 
@@ -254,18 +258,6 @@ class User < ApplicationRecord
 end
 ```
 
-### Claiming tokens
-
-By default, a token/magic link **can** be used more than once.
-
-To change, in `config/initializers/passwordless.rb`:
-
-```ruby
-Passwordless.configure do |config|
-  config.restrict_token_reuse = true
-end
-```
-
 ## Test helpers
 
 To help with testing, a set of test helpers are provided.

data/app/controllers/passwordless/sessions_controller.rb

@@ -4,7 +4,7 @@ require "bcrypt"
 
 module Passwordless
   # Controller for managing Passwordless sessions
-  class SessionsController < ApplicationController
+  class SessionsController < Passwordless.config.parent_controller.constantize
     include ControllerHelpers
 
     helper_method :email_field
@@ -20,21 +20,11 @@ module Passwordless
     #   Creates a new Session record then sends the magic link
     #   redirects to sign in page with generic flash message.
     def create
-      unless @resource = find_authenticatable
-        raise(
-          ActiveRecord::RecordNotFound,
-          "Couldn't find #{authenticatable_type} with email #{passwordless_session_params[email_field]}"
-        )
-      end
-
+      handle_resource_not_found unless @resource = find_authenticatable
       @session = build_passwordless_session(@resource)
 
       if @session.save
-        if Passwordless.config.after_session_save.arity == 2
-          Passwordless.config.after_session_save.call(@session, request)
-        else
-          Passwordless.config.after_session_save.call(@session)
-        end
+        call_after_session_save
 
         redirect_to(
           Passwordless.context.path_for(
@@ -50,6 +40,8 @@ module Passwordless
       end
 
     rescue ActiveRecord::RecordNotFound
+      @session = Session.new
+
       flash[:error] = I18n.t("passwordless.sessions.create.not_found")
       render(:new, status: :not_found)
     end
@@ -137,6 +129,8 @@ module Passwordless
     private
 
     def artificially_slow_down_brute_force_attacks(token)
+      return unless Passwordless.config.combat_brute_force_attacks
+
       # Make it "slow" on purpose to make brute-force attacks more of a hassle
       BCrypt::Password.create(token)
     end
@@ -171,12 +165,36 @@ module Passwordless
     end
 
     def find_authenticatable
-      email = passwordless_session_params[email_field].downcase.strip
-
       if authenticatable_class.respond_to?(:fetch_resource_for_passwordless)
-        authenticatable_class.fetch_resource_for_passwordless(email)
+        authenticatable_class.fetch_resource_for_passwordless(normalized_email_param)
+      else
+        authenticatable_class.where("lower(#{email_field}) = ?", normalized_email_param).first
+      end
+    end
+
+    def normalized_email_param
+      passwordless_session_params[email_field].downcase.strip
+    end
+
+    def handle_resource_not_found
+      if Passwordless.config.paranoid
+        @resource = authenticatable_class.new(email: normalized_email_param)
+        @skip_after_session_save_callback = true
+      else
+        raise(
+          ActiveRecord::RecordNotFound,
+          "Couldn't find #{authenticatable_type} with email #{normalized_email_param}"
+        )
+      end
+    end
+
+    def call_after_session_save
+      return if @skip_after_session_save_callback
+
+      if Passwordless.config.after_session_save.arity == 2
+        Passwordless.config.after_session_save.call(@session, request)
       else
-        authenticatable_class.where("lower(#{email_field}) = ?", email).first
+        Passwordless.config.after_session_save.call(@session)
       end
     end
 

data/app/mailers/passwordless/mailer.rb

@@ -3,7 +3,7 @@
 module Passwordless
   # The mailer responsible for sending Passwordless' mails.
   class Mailer < Passwordless.config.parent_mailer.constantize
-    default from: Passwordless.config.default_from_address
+    default(from: Passwordless.config.default_from_address) if Passwordless.config.default_from_address
 
     # Sends a token and a magic link
     #
@@ -17,7 +17,8 @@ module Passwordless
         session,
         action: "confirm",
         id: session.to_param,
-        token: @token
+        token: @token,
+        **default_url_options
       )
 
       email_field = session.authenticatable.class.passwordless_email_field

data/app/views/passwordless/sessions/new.html.erb

@@ -1,12 +1,12 @@
 <%= form_with(model: @session, url: url_for(action: 'new'), data: { turbo: 'false' }) do |f| %>
   <% email_field_name = :"passwordless[#{email_field}]" %>
   <%= f.label email_field_name,
-          t("passwordless.sessions.new.email.label"),
-          for: "passwordless_#{email_field}" %>
+      t("passwordless.sessions.new.email.label"),
+      for: "passwordless_#{email_field}" %>
   <%= email_field_tag email_field_name,
-  params.fetch(email_field_name, nil),
-  required: true,
-  autofocus: true,
-  placeholder: t("passwordless.sessions.new.email.placeholder") %>
+      params.fetch(email_field_name, nil),
+      required: true,
+      autofocus: true,
+      placeholder: t("passwordless.sessions.new.email.placeholder") %>
   <%= f.submit t("passwordless.sessions.new.submit") %>
 <% end %>

data/app/views/passwordless/sessions/show.html.erb

@@ -1,5 +1,8 @@
 <%= form_with(model: @session, url: url_for(action: 'update'), scope: 'passwordless', method: 'patch', data: { turbo: false }) do |f| %>
-  <%= f.label :token, autocomplete: "off" %>
-  <%= f.text_field :token %>
+  <%= f.label :token %>
+  <%= f.text_field :token,
+      required: true,
+      autofocus: true,
+      autocomplete: "one-time-code" %>
   <%= f.submit t(".confirm") %>
 <% end %>

data/lib/passwordless/config.rb

@@ -28,9 +28,11 @@ module Passwordless
     include Options
 
     option :default_from_address, default: "CHANGE_ME@example.com"
+    option :parent_controller, default: "ApplicationController"
     option :parent_mailer, default: "ActionMailer::Base"
     option :restrict_token_reuse, default: true
     option :token_generator, default: ShortTokenGenerator.new
+    option :combat_brute_force_attacks, default: !Rails.env.test?
 
     option :expires_at, default: lambda { 1.year.from_now }
     option :timeout_at, default: lambda { 10.minutes.from_now }
@@ -47,6 +49,8 @@ module Passwordless
       end
     )
 
+    option :paranoid, default: false
+
     def initialize
       set_defaults!
     end

data/lib/passwordless/test_helpers.rb

@@ -43,21 +43,22 @@ module Passwordless
     end
 
     module SystemTestCase
-      def passwordless_sign_out(cls = nil)
+      def passwordless_sign_out(cls = nil, only_path: false)
         cls ||= "User".constantize
         resource = cls.model_name.to_s.tableize
 
-        visit(Passwordless.context.url_for(resource, action: "destroy"))
+        visit(Passwordless.context.url_for(resource, action: "destroy", only_path: only_path))
       end
 
-      def passwordless_sign_in(resource)
+      def passwordless_sign_in(resource, only_path: false)
         session = Passwordless::Session.create!(authenticatable: resource)
 
         magic_link = Passwordless.context.url_for(
           session,
           action: "confirm",
           id: session.to_param,
-          token: session.token
+          token: session.token,
+          only_path: only_path
         )
 
         visit(magic_link)

data/lib/passwordless/version.rb

@@ -2,5 +2,5 @@
 
 module Passwordless
   # :nodoc:
-  VERSION = "1.1.1"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passwordless
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Mikkel Malmberg
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-11 00:00:00.000000000 Z
+date: 2024-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -91,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
+rubygems_version: 3.5.5
 signing_key:
 specification_version: 4
 summary: Add authentication to your app without all the ickyness of passwords.