propel_authentication 0.1.1

data/lib/generators/propel_auth/templates/auth_mailer.rb

@@ -0,0 +1,180 @@
+class AuthMailer < ApplicationMailer
+  # Rails 8 compatible authentication mailer with JWT integration
+  # Provides password reset, account unlock, invitation, and email confirmation functionality
+  
+  default from: -> { "noreply@#{Rails.application.class.module_parent.name.downcase}.com" }
+
+  # Password reset email with JWT token integration
+  def password_reset
+    @user = params[:user]
+    @token = params[:token]
+    @reset_url = params[:reset_url]
+    @expiration_minutes = 15
+    
+    # Set template variables as instance variables
+    @organization_name = organization_name(@user)
+    @display_name = display_name(@user)
+    @support_email = support_email
+    
+    # Validate required parameters
+    raise ArgumentError, "User is required" unless @user
+    raise ArgumentError, "Token is required" unless @token
+    raise ArgumentError, "Reset URL is required" unless @reset_url
+    
+    mail(
+      to: @user.email_address,
+      subject: "Reset your password for #{@organization_name}"
+    )
+  end
+
+  # Account unlock email with JWT token integration
+  def account_unlock
+    @user = params[:user]
+    @token = params[:token]
+    @unlock_url = params[:unlock_url]
+    @expiration_hours = 1
+    
+    # Set template variables as instance variables
+    @organization_name = organization_name(@user)
+    @display_name = display_name(@user)
+    @support_email = support_email
+    
+    # Validate required parameters
+    raise ArgumentError, "User is required" unless @user
+    raise ArgumentError, "Token is required" unless @token
+    raise ArgumentError, "Unlock URL is required" unless @unlock_url
+    
+    mail(
+      to: @user.email_address,
+      subject: "Account locked - Security notification for #{@organization_name}"
+    )
+  end
+
+  # User invitation email with organization context
+  def user_invitation
+    @invitation = params[:invitation]
+    @inviter = params[:inviter]
+    @token = params[:token]
+    @invitation_url = params[:invitation_url]
+    @expiration_days = 7
+    
+    # Set template variables as instance variables
+    @organization_name = organization_name(@inviter)
+    @inviter_display_name = display_name(@inviter)
+    @support_email = support_email
+    
+    # Validate required parameters
+    raise ArgumentError, "Invitation is required" unless @invitation
+    raise ArgumentError, "Inviter is required" unless @inviter
+    raise ArgumentError, "Token is required" unless @token
+    raise ArgumentError, "Invitation URL is required" unless @invitation_url
+    
+    mail(
+      to: @invitation.email_address,
+      subject: "You're invited to join #{@invitation.organization.name}"
+    )
+  end
+
+  # Email confirmation with secure token
+  def email_confirmation(user, email_address = nil)
+    @user = user
+    @email_address = email_address || user.email_address
+    @token = user.confirmation_token
+    
+    # Set template variables as instance variables
+    @organization_name = organization_name(@user)
+    @display_name = display_name(@user)
+    @support_email = support_email
+    
+    # Validate required parameters
+    raise ArgumentError, "User is required" unless @user
+    raise ArgumentError, "Confirmation token is required" unless @token
+    
+    mail(
+      to: @email_address,
+      subject: "Please confirm your email address for #{@organization_name}"
+    )
+  end
+
+  # Welcome email for newly registered users
+  def welcome
+    @user = params[:user]
+    @organization = @user.organization
+    
+    # Validate required parameters
+    raise ArgumentError, "User is required" unless @user
+    
+    mail(
+      to: @user.email_address,
+      subject: "Welcome to #{@organization_name}!"
+    )
+  end
+
+  # Email change confirmation
+  def email_change_confirmation
+    @user = params[:user]
+    @new_email_address = params[:new_email_address]
+    @token = params[:token]
+    @confirmation_url = params[:confirmation_url]
+    
+    # Validate required parameters
+    raise ArgumentError, "User is required" unless @user
+    raise ArgumentError, "New email address is required" unless @new_email_address
+    raise ArgumentError, "Token is required" unless @token
+    raise ArgumentError, "Confirmation URL is required" unless @confirmation_url
+    
+    mail(
+      to: @new_email_address,
+      subject: "Confirm your new email address for #{@organization_name}"
+    )
+  end
+
+  # Helper methods - made public so they can be used in email templates
+
+  # Get organization name for email subjects and content
+  def organization_name(user = nil)
+    user = user || @user
+    if user&.organization&.name.present?
+      user.organization.name
+    elsif @invitation&.organization&.name.present?
+      @invitation.organization.name
+    else
+      Rails.application.class.module_parent.name
+    end
+  end
+
+  # Get user's display name with fallback
+  def display_name(user)
+    if user.first_name.present?
+      user.first_name
+    elsif user.username.present?
+      user.username
+    else
+      user.email_address.split('@').first.humanize
+    end
+  end
+
+  # Get support email for the organization
+  def support_email
+    "support@#{Rails.application.class.module_parent.name.downcase}.com"
+  end
+
+  # Get application name
+  def application_name
+    Rails.application.class.module_parent.name
+  end
+
+  # Generate confirmation URL with token
+  def confirmation_url(user)
+    token = user.confirmation_token
+    base_url = PropelAuth.configuration.frontend_url || "#{request.protocol}#{request.host_with_port}"
+    "#{base_url}/auth/confirm?token=#{token}"
+  end
+
+  private
+
+  # Renamed to avoid confusion with public helper
+  def user_display_name(user)
+    display_name(user)
+  end
+end 

data/lib/generators/propel_auth/templates/authenticatable.rb

@@ -0,0 +1,38 @@
+module Authenticatable
+  extend ActiveSupport::Concern
+
+  included do
+    has_secure_password
+    validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
+    validates :password, presence: true, length: { minimum: 8 }, if: :password_digest_changed?
+  end
+
+  # Generate JWT token for user authentication
+  def generate_jwt_token
+    payload = {
+      user_id: id,
+      email_address: email_address,
+      organization_id: organization_id,
+      iat: Time.now.to_i,
+      exp: PropelAuth.configuration.jwt_expiration.from_now.to_i
+    }
+    
+          JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+  end
+
+  class_methods do
+    # Find user by JWT token
+    def find_by_jwt_token(token)
+      return nil unless token
+      
+      decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      payload = decoded_token.first
+      
+      # Check if token is expired (JWT gem handles this, but double-check)
+      return nil if payload['exp'] && Time.at(payload['exp']) < Time.current
+      
+      # Find user by ID from token
+      find_by(id: payload['user_id'])
+    end
+  end
+end 

data/lib/generators/propel_auth/templates/concerns/confirmable.rb

@@ -0,0 +1,145 @@
+module Confirmable
+  extend ActiveSupport::Concern
+
+  included do
+    before_create :generate_confirmation_token, unless: :confirmed?
+    before_update :generate_confirmation_token_if_email_changed
+    after_create :send_confirmation_instructions, unless: :confirmed?
+    
+    validates :confirmation_token, uniqueness: true, allow_nil: true
+    validates :email_address, presence: true
+  end
+
+  # CONFIRMATION STATUS METHODS
+
+  def confirmed?
+    confirmed_at.present?
+  end
+
+  def confirmation_pending?
+    !confirmed? && confirmation_token.present?
+  end
+
+  def confirmation_expired?
+    return false if confirmation_sent_at.blank?
+    confirmation_sent_at < confirmation_period.ago
+  end
+
+  def can_login?
+    confirmed? && !locked?
+  end
+
+  # CONFIRMATION TOKEN METHODS
+
+  def confirm_by_token(token)
+    return false if token.blank? || confirmation_token.blank?
+    return false unless secure_compare(token, confirmation_token)
+    return false if confirmation_expired?
+
+    self.confirmed_at = Time.current
+    self.confirmation_token = nil
+    self.confirmation_sent_at = nil
+    
+    # If there's a pending email change, apply it
+    if unconfirmed_email_address.present?
+      self.email_address = unconfirmed_email_address
+      self.unconfirmed_email_address = nil
+    end
+    
+    save(validate: false)
+  end
+
+  def send_confirmation_instructions
+    return false if confirmed?
+    return false if confirmation_rate_limited?
+
+    generate_confirmation_token
+    self.confirmation_sent_at = Time.current
+    save(validate: false)
+
+    AuthMailer.email_confirmation(self).deliver_now
+    true
+  end
+
+  def resend_confirmation_instructions
+    return false if confirmed?
+    
+    send_confirmation_instructions
+  end
+
+  # PRIVATE METHODS
+
+  private
+
+  def generate_confirmation_token
+    self.confirmation_token = generate_secure_token
+    self.confirmation_sent_at = Time.current
+  end
+
+  def generate_confirmation_token_if_email_changed
+    if email_address_changed? && confirmed?
+      # Store the new email for confirmation
+      self.unconfirmed_email_address = email_address
+      # Revert email to original for now
+      self.email_address = email_address_was
+      # Mark as unconfirmed and generate new token
+      self.confirmed_at = nil
+      generate_confirmation_token
+      # Send confirmation to the new email
+      AuthMailer.email_confirmation(self, unconfirmed_email_address).deliver_now
+    elsif email_address_changed? && !confirmed?
+      # If user isn't confirmed yet, just regenerate token
+      generate_confirmation_token
+    end
+  end
+
+  def confirmation_rate_limited?
+    return false if confirmation_sent_at.blank?
+    confirmation_sent_at > confirmation_resend_interval.ago
+  end
+
+  def generate_secure_token
+    SecureRandom.hex(32)
+  end
+
+  def secure_compare(a, b)
+    return false if a.nil? || b.nil?
+    ActiveSupport::SecurityUtils.secure_compare(a, b)
+  end
+
+  def confirmation_period
+    PropelAuth.configuration.confirmation_period || 24.hours
+  end
+
+  def confirmation_resend_interval
+    PropelAuth.configuration.confirmation_resend_interval || 1.minute
+  end
+
+  module ClassMethods
+    def confirm_by_token(token)
+      user = find_by(confirmation_token: token)
+      return nil unless user
+      
+      if user.confirm_by_token(token)
+        user
+      else
+        nil
+      end
+    end
+
+    def send_confirmation_instructions(attributes = {})
+      user = find_by(email_address: attributes[:email_address])
+      return nil unless user
+      
+      if user.send_confirmation_instructions
+        user
+      else
+        nil
+      end
+    end
+
+    def find_for_confirmation(token)
+      find_by(confirmation_token: token)
+    end
+  end
+end 

data/lib/generators/propel_auth/templates/concerns/lockable.rb

@@ -0,0 +1,123 @@
+module Lockable
+  extend ActiveSupport::Concern
+
+  # Check if account is currently locked
+  def locked?
+    return false unless locked_at.present?
+    
+    # Check if lockout duration has passed (automatic unlock)
+    if locked_at + PropelAuth.configuration.lockout_duration > Time.current
+      true # Still within lockout period
+    else
+      # Lockout period expired, automatically unlock
+      unlock_account!
+      false
+    end
+  end
+  
+  # Check if user can authenticate (not locked and within limits)
+  def can_authenticate?
+    !locked?
+  end
+  
+  # Increment failed login attempts and lock if limit reached
+  def increment_failed_attempts
+    return if locked? # Don't increment if already locked
+    
+    self.failed_login_attempts = (failed_login_attempts || 0) + 1
+    
+    if failed_login_attempts >= PropelAuth.configuration.max_failed_attempts
+      lock_account!
+    else
+      save!
+    end
+  end
+  
+  # Reset failed login attempts (called on successful login)
+  def reset_failed_attempts
+    update!(failed_login_attempts: 0)
+  end
+  
+  # Manually lock the account
+  def lock_account!
+    update!(
+      locked_at: Time.current,
+      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+    )
+    
+    # Send account locked email notification if enabled
+    if PropelAuth.configuration.enable_email_notifications
+      email_result = AuthNotificationService.send_account_unlock_email(self)
+      
+      if email_result[:success]
+        Rails.logger.info "Account unlock email sent successfully to #{email_address}"
+      else
+        Rails.logger.error "Failed to send account unlock email to #{email_address}: #{email_result[:error]}"
+      end
+    end
+  end
+  
+  # Manually unlock the account
+  def unlock_account!
+    update!(
+      locked_at: nil,
+      failed_login_attempts: 0
+    )
+  end
+  
+  # Generate JWT token for account unlock (for email/SMS unlock links)
+  def generate_unlock_token
+    payload = {
+      user_id: id,
+      email_address: email_address,
+      type: 'unlock',
+      iat: Time.now.to_i,
+      exp: 1.hour.from_now.to_i # Unlock tokens expire in 1 hour
+    }
+    
+    JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+  end
+  
+  # Unlock account using a valid unlock token
+  def unlock_with_token!(token)
+    return false unless token.present?
+    
+    begin
+      decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      payload = decoded_token.first
+      
+      # Verify token is for this user and is an unlock token
+      if payload['user_id'] == id && payload['type'] == 'unlock'
+        unlock_account!
+        true
+      else
+        false
+      end
+    rescue JWT::ExpiredSignature, JWT::DecodeError, JWT::InvalidSignature
+      false
+    end
+  end
+  
+  module ClassMethods
+    # Find user by unlock token
+    def find_by_unlock_token(token)
+      return nil unless token.present?
+      
+      begin
+        decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+        payload = decoded_token.first
+        
+        # Check if token is expired (JWT gem handles this, but double-check)
+        return nil if payload['exp'] && Time.at(payload['exp']) < Time.current
+        
+        # Verify this is an unlock token
+        return nil unless payload['type'] == 'unlock'
+        
+        # Find user by ID from token
+        find_by(id: payload['user_id'])
+      rescue JWT::ExpiredSignature, JWT::DecodeError, JWT::InvalidSignature
+        nil
+      end
+    end
+  end
+end 

data/lib/generators/propel_auth/templates/concerns/propel_authentication.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module PropelAuthentication
+  extend ActiveSupport::Concern
+
+  private
+
+  def authenticate_user
+    token = extract_jwt_token
+    
+    unless token
+      render json: { error: 'No token provided' }, status: :unauthorized
+      return false
+    end
+    
+    begin
+      @current_user = User.find_by_jwt_token(token)
+      unless @current_user
+        render json: { error: 'Invalid token' }, status: :unauthorized
+        return false
+      end
+    rescue JWT::ExpiredSignature
+      render json: { error: 'Token expired' }, status: :unauthorized
+      return false
+    rescue JWT::DecodeError, JWT::InvalidSignature
+      render json: { error: 'Invalid token' }, status: :unauthorized
+      return false
+    end
+    
+    true
+  end
+
+  def current_user
+    @current_user
+  end
+
+  def extract_jwt_token
+    auth_header = request.headers['Authorization']
+    return nil unless auth_header
+    
+    # Extract token from "Bearer <token>" format
+    auth_header.split(' ').last if auth_header.start_with?('Bearer ')
+  end
+end 

data/lib/generators/propel_auth/templates/concerns/rack_session_disable.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Disables rack session for API controllers to prevent session cookie overhead
+# and ensure a stateless authentication mechanism, which is critical for JWT.
+module RackSessionDisable
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :disable_session
+
+    private
+
+    # By setting :skip to true, we tell Rack not to load or save session data,
+    # making the request handling more efficient and purely token-based.
+    def disable_session
+      request.session_options[:skip] = true
+    end
+  end
+end 

data/lib/generators/propel_auth/templates/concerns/recoverable.rb

@@ -0,0 +1,124 @@
+module Recoverable
+  extend ActiveSupport::Concern
+
+  included do
+    # No additional database fields needed - using JWT tokens
+  end
+
+  # Generate password reset token with JWT
+  def generate_password_reset_token
+    # Use high precision timestamp and random nonce for uniqueness
+    now = Time.now
+    
+    payload = {
+      user_id: self.id,
+      email_address: self.email_address,
+      type: 'password_reset',
+      iat: now.to_f,  # Use float for higher precision
+      exp: PropelAuth.configuration.password_reset_expiration.from_now.to_i,
+      password_hash: self.password_digest[0..10],  # Bind token to current password
+      nonce: SecureRandom.hex(8)  # Add random nonce for uniqueness
+    }
+    
+    JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+  end
+
+  # Validate password reset token
+  def valid_password_reset_token?(token)
+    return false if token.blank?
+    
+    begin
+      decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      payload = decoded.first
+      
+      # Validate token structure and content
+      return false unless payload['type'] == 'password_reset'
+      return false unless payload['user_id'] == self.id
+      return false unless payload['email_address'] == self.email_address
+      
+      # Validate token is not expired
+      return false if token_expired?(payload)
+      
+      # Validate password hash binding (prevents reuse after password change)
+      return false unless valid_password_hash_binding?(payload)
+      
+      true
+    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidSignature
+      false
+    end
+  end
+
+  # Reset password with token validation
+  def reset_password_with_token!(token, new_password, new_password_confirmation = new_password)
+    return false unless valid_password_reset_token?(token)
+    return false if new_password.blank?
+    return false if new_password != new_password_confirmation
+    
+    # Validate password length (configuration is a Range)
+    password_range = PropelAuth.configuration.password_length
+    return false unless password_range.include?(new_password.length)
+    
+    begin
+      # Update password and clear failed login attempts
+      self.password = new_password
+      self.failed_login_attempts = 0  # Clear lockable state
+      
+      # Save changes
+      self.save!
+      true
+    rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved
+      false
+    end
+  end
+
+  class_methods do
+    # Find user by JWT password reset token
+    def find_user_by_password_reset_token(token)
+      return nil if token.blank?
+      
+      begin
+        decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+        payload = decoded.first
+        
+        # Validate token structure
+        return nil unless payload['type'] == 'password_reset'
+        return nil unless payload['user_id'].present?
+        
+        # Find user and validate token
+        user = find_by(id: payload['user_id'])
+        return nil unless user&.valid_password_reset_token?(token)
+        
+        user
+      rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidSignature
+        nil
+      end
+    end
+  end
+
+  private
+
+  # Extract user ID from token
+  def extract_user_id_from_token(token)
+    return nil if token.blank?
+    
+    begin
+      decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      decoded.first['user_id']
+    rescue JWT::DecodeError
+      nil
+    end
+  end
+
+  # Validate token expiration
+  def token_expired?(payload)
+    return true unless payload['exp'].present?
+    Time.current.to_i >= payload['exp']
+  end
+
+  # Validate password hash binding to prevent reuse after password change
+  def valid_password_hash_binding?(payload)
+    return false unless payload['password_hash'].present?
+    expected_hash = self.password_digest[0..10]
+    payload['password_hash'] == expected_hash
+  end
+end