propel_authentication 0.1.3 → 0.2.0

data/lib/generators/propel_authentication/templates/auth/signup_controller.rb.tt

@@ -0,0 +1,242 @@
+class <%= auth_controller_class_name('signup') %> < ApplicationController
+  <%- unless api_only_app? -%>
+  include RackSessionDisable
+  <%- end -%>
+
+  # POST <%= auth_route_prefix %>/signup
+  def create
+    # Validate agency requirements if agency tenancy is enabled
+    return unless validate_agency_requirements!
+    
+    ActiveRecord::Base.transaction do
+      @organization = Organization.create!(organization_params)
+      @user = @organization.users.create!(user_params)
+      
+      # Create agency if agency tenancy is enabled and agency params provided
+      if agency_tenancy_enabled? && agency_params.present?
+        @agency = @organization.agencies.create!(agency_params)
+        
+        # Create agent relationship so user has immediate agency access
+        @user.agents.create!(
+          agency: @agency,
+          role: agent_role_param
+        )
+      end
+      
+      # Generate JWT for immediate login
+      token = @user.generate_jwt_token
+      
+      render json: { 
+        token: token,
+        user: user_response(@user),
+        organization: organization_response(@organization),
+        agency: agency_created? ? agency_response(@agency) : nil,
+        agent: agency_created? ? agent_response(@user.agents.last) : nil,
+        message: "Account created successfully! Ready to start working.",
+        next_steps: next_steps_for_user
+      }, status: :created
+    end
+  rescue ActiveRecord::RecordInvalid => e
+    render json: { 
+      error: 'Validation failed',
+      details: extract_validation_errors(e),
+      message: 'Please correct the errors and try again'
+    }, status: :unprocessable_entity
+  rescue => e
+    render json: { 
+      error: 'Account creation failed',
+      message: 'An unexpected error occurred. Please try again.'
+    }, status: :internal_server_error
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(
+      :email_address, 
+      :username, 
+      :password, 
+      :password_confirmation,
+      :first_name, 
+      :last_name, 
+      :phone_number,
+      :time_zone
+    )
+  end
+
+  def organization_params
+    params.require(:organization).permit(
+      :name, 
+      :website, 
+      :time_zone,
+      :description
+    )
+  end
+
+  def agency_params
+    return {} unless params[:agency].present?
+    
+    params.require(:agency).permit(
+      :name,
+      :phone_number,
+      :address
+    )
+  end
+
+  def agent_role_param
+    params.dig(:agent, :role) || 'owner'
+  end
+
+  def user_response(user)
+    {
+      id: user.id,
+      email_address: user.email_address,
+      username: user.username,
+      first_name: user.first_name,
+      last_name: user.last_name,
+      organization_id: user.organization_id,
+      created_at: user.created_at
+    }
+  end
+
+  def organization_response(organization)
+    {
+      id: organization.id,
+      name: organization.name,
+      website: organization.website,
+      time_zone: organization.time_zone
+    }
+  end
+
+  def agency_response(agency)
+    return nil unless agency
+    
+    {
+      id: agency.id,
+      name: agency.name,
+      organization_id: agency.organization_id
+    }
+  end
+
+  def agent_response(agent)
+    return nil unless agent
+    
+    {
+      id: agent.id,
+      user_id: agent.user_id,
+      agency_id: agent.agency_id,
+      role: agent.role,
+      created_at: agent.created_at
+    }
+  end
+
+  def agency_created?
+    defined?(@agency) && @agency.present?
+  end
+
+  def next_steps_for_user
+    steps = []
+    
+    if agency_tenancy_enabled?
+      if agency_created?
+        steps << {
+          action: 'create_additional_agencies',
+          description: 'Add more agencies to organize your team',
+          endpoint: '<%= auth_route_prefix %>/agencies',
+          method: 'POST'
+        }
+        steps << {
+          action: 'start_creating_resources',
+          description: 'Begin creating and managing your content (you can create resources immediately)',
+          endpoint: '<%= auth_route_prefix %>/',
+          note: 'Your agency is ready for resource creation'
+        }
+      else
+        steps << {
+          action: 'create_agency',
+          description: 'Create an agency to organize your resources',
+          endpoint: '<%= auth_route_prefix %>/agencies',
+          method: 'POST',
+          required: true
+        }
+      end
+      
+      steps << {
+        action: 'invite_team_members',
+        description: 'Invite colleagues to join your organization',
+                  endpoint: '<%= auth_route_prefix %>/invitations',
+        method: 'POST'
+      }
+    else
+      steps << {
+        action: 'invite_team_members',
+        description: 'Invite colleagues to join your organization',
+                  endpoint: '<%= auth_route_prefix %>/invitations',
+        method: 'POST'
+      }
+      steps << {
+        action: 'start_creating_resources',
+        description: 'Begin creating and managing your content',
+        endpoint: '<%= auth_route_prefix %>/'
+      }
+    end
+    
+    steps
+  end
+
+  def agency_tenancy_enabled?
+    # Check PropelAuthentication configuration (owns tenancy models)
+    if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
+      PropelAuthentication.configuration.agency_tenancy
+    else
+      true  # Safe default - enables agency tenancy when configuration unavailable
+    end
+  rescue => e
+    # Default to true if configuration is not available (standalone auth setup)
+    true
+  end
+
+  def extract_validation_errors(exception)
+    return {} unless exception.record
+    
+    errors = {}
+    exception.record.errors.each do |error|
+      field = error.attribute
+      errors[field] ||= []
+      errors[field] << error.full_message
+    end
+    
+    # If no specific field errors, use base errors
+    if errors.empty? && exception.record.errors.any?
+      errors[:base] = exception.record.errors.full_messages
+    end
+    
+    errors
+  end
+
+  # Validate that required agency params are present when agency tenancy is enabled
+  def validate_agency_requirements!
+    return unless agency_tenancy_enabled?
+    
+    if params[:agency].blank?
+      render json: {
+        error: 'Agency information required',
+        message: 'Agency details must be provided when agency tenancy is enabled',
+        code: 'MISSING_AGENCY_DATA',
+        hint: 'Include an "agency" object with name and other details in your request'
+      }, status: :unprocessable_entity
+      return false
+    end
+    
+    if agency_params[:name].blank?
+      render json: {
+        error: 'Agency name required',
+        message: 'Agency name is required when creating an agency',
+        code: 'MISSING_AGENCY_NAME'
+      }, status: :unprocessable_entity
+      return false
+    end
+    
+    true
+  end
+end

data/lib/generators/{propel_auth/templates → propel_authentication/templates/auth}/tokens_controller.rb.tt

@@ -1,18 +1,22 @@
-<%- if api_versioned? -%>
-# Dynamic API versioning controller - inherits from base controller
-class <%= controller_namespace %>::TokensController < Api::Auth::BaseTokensController
-end
-<%- else -%>
-class <%= controller_namespace %>::TokensController < ApplicationController
+class <%= auth_controller_class_name('tokens') %> < ApplicationController
   <%- unless api_only_app? -%>
   include RackSessionDisable
   <%- end -%>
-  include PropelAuthentication
+  include PropelAuthenticationConcern
 
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login
+  before_action :authenticate_user, only: [:show, :refresh]
+  before_action :validate_login_parameters, only: [:create]
+
+  # POST <%= auth_route_prefix %>/login
   def create
     user = User.find_by(email_address: params[:user][:email_address])
     
+    # Check if user exists and account is locked
+    if user&.respond_to?(:locked?) && user.locked?
+      render json: { error: 'Account is locked due to too many failed login attempts' }, status: :locked
+      return
+    end
+    
     if user&.authenticate(params[:user][:password])
       if user.status == 1  # inactive
         render json: { error: 'Account is inactive' }, status: :unauthorized
@@ -22,17 +26,17 @@ class <%= controller_namespace %>::TokensController < ApplicationController
       # Update last login timestamp
       user.update(last_login_at: Time.current)
       
-      # Reset failed login attempts on successful login
-      user.reset_failed_attempts! if user.respond_to?(:reset_failed_attempts!)
+      # Reset failed login attempts on successful login (no bang!)
+      user.reset_failed_attempts if user.respond_to?(:reset_failed_attempts)
       
       render json: {
         token: user.generate_jwt_token,
         user: user_response(user)
       }, status: :ok
     else
-      # Increment failed login attempts if user exists and has lockable functionality
-      if user&.respond_to?(:increment_failed_attempts!)
-        user.increment_failed_attempts!
+      # Increment failed login attempts if user exists and has lockable functionality (no bang!)
+      if user&.respond_to?(:increment_failed_attempts)
+        user.increment_failed_attempts
       end
       
       render json: { error: 'Invalid credentials' }, status: :unauthorized
@@ -41,24 +45,26 @@ class <%= controller_namespace %>::TokensController < ApplicationController
     render json: { error: 'Missing required parameters' }, status: :unprocessable_entity
   end
 
-  # DELETE <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/logout
+  # DELETE <%= auth_route_prefix %>/logout
   def destroy
     # For JWT, logout is handled client-side by removing the token
     # Server-side logout would require token blacklisting (future enhancement)
     render json: { message: 'Logged out successfully' }, status: :ok
   end
 
-  # GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me
-  def me
-    return unless authenticate_user
-    render json: { user: user_response(current_user) }, status: :ok
+  # GET <%= auth_route_prefix %>/me
+  def show
+    render json: {
+      user: user_response(@current_user)
+    }, status: :ok
   end
 
+  # POST <%= auth_route_prefix %>/refresh
   def refresh
     render json: { token: @current_user.generate_jwt_token }
   end
 
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/unlock
+  # POST <%= auth_route_prefix %>/unlock
   def unlock
     token = params[:token]
     
@@ -71,7 +77,10 @@ class <%= controller_namespace %>::TokensController < ApplicationController
     
     if user
       user.unlock_account!
-      render json: { message: 'Account unlocked successfully' }, status: :ok
+      render json: { 
+        message: 'Account unlocked successfully',
+        user: user_response(user)
+      }, status: :ok
     else
       render json: { error: 'Invalid or expired unlock token' }, status: :unauthorized
     end
@@ -88,9 +97,17 @@ class <%= controller_namespace %>::TokensController < ApplicationController
       username: user.username,
       first_name: user.first_name,
       last_name: user.last_name,
+      status: user.status,
       organization_id: user.organization_id,
+      agency_ids: user.agency_ids,
+      confirmed_at: user.confirmed_at,
       last_login_at: user.last_login_at
     }
   end
-end
-<%- end -%> 
+
+  def validate_login_parameters
+    unless params[:user].present? && params[:user][:email_address].present? && params[:user][:password].present?
+      render json: { error: 'Email address and password are required' }, status: :unprocessable_entity
+    end
+  end
+end

data/lib/generators/{propel_auth → propel_authentication}/templates/auth_mailer.rb

@@ -85,6 +85,7 @@ class AuthMailer < ApplicationMailer
     @organization_name = organization_name(@user)
     @display_name = display_name(@user)
     @support_email = support_email
+    @confirmation_url = confirmation_url(@user)
     
     # Validate required parameters
     raise ArgumentError, "User is required" unless @user
@@ -167,7 +168,8 @@ class AuthMailer < ApplicationMailer
   # Generate confirmation URL with token
   def confirmation_url(user)
     token = user.confirmation_token
-    base_url = PropelAuth.configuration.frontend_url || "#{request.protocol}#{request.host_with_port}"
+    base_url = PropelAuthentication.configuration.frontend_url || 
+               (defined?(request) ? "#{request.protocol}#{request.host_with_port}" : "http://localhost:3000")
     "#{base_url}/auth/confirm?token=#{token}"
   end
 

data/lib/generators/{propel_auth → propel_authentication}/templates/authenticatable.rb

@@ -7,17 +7,23 @@ module Authenticatable
     validates :password, presence: true, length: { minimum: 8 }, if: :password_digest_changed?
   end
 
-  # Generate JWT token for user authentication
+    # Generate JWT token for user authentication with minimal claims
   def generate_jwt_token
     payload = {
       user_id: id,
       email_address: email_address,
       organization_id: organization_id,
+      # Removed: agency_ids (now looked up in real-time for better security)
       iat: Time.now.to_i,
-      exp: PropelAuth.configuration.jwt_expiration.from_now.to_i
+      exp: PropelAuthentication.configuration.jwt_expiration.from_now.to_i
     }
     
-          JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
+  end
+
+  # Get all agency IDs this user has access to through agent profiles
+  def agency_ids
+    agents.pluck(:agency_id)
   end
 
   class_methods do
@@ -25,7 +31,7 @@ module Authenticatable
     def find_by_jwt_token(token)
       return nil unless token
       
-      decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      decoded_token = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
       payload = decoded_token.first
       
       # Check if token is expired (JWT gem handles this, but double-check)

data/lib/generators/{propel_auth → propel_authentication}/templates/concerns/confirmable.rb

@@ -73,7 +73,7 @@ module Confirmable
 
   def generate_confirmation_token
     self.confirmation_token = generate_secure_token
-    self.confirmation_sent_at = Time.current
+    # Don't set confirmation_sent_at here - it will be set when email is actually sent
   end
 
   def generate_confirmation_token_if_email_changed
@@ -108,11 +108,11 @@ module Confirmable
   end
 
   def confirmation_period
-    PropelAuth.configuration.confirmation_period || 24.hours
+    PropelAuthentication.configuration.confirmation_period || 24.hours
   end
 
   def confirmation_resend_interval
-    PropelAuth.configuration.confirmation_resend_interval || 1.minute
+    PropelAuthentication.configuration.confirmation_resend_interval || 1.minute
   end
 
   module ClassMethods

data/lib/generators/{propel_auth → propel_authentication}/templates/concerns/lockable.rb

@@ -6,7 +6,7 @@ module Lockable
     return false unless locked_at.present?
     
     # Check if lockout duration has passed (automatic unlock)
-    if locked_at + PropelAuth.configuration.lockout_duration > Time.current
+    if locked_at + PropelAuthentication.configuration.lockout_duration > Time.current
       true # Still within lockout period
     else
       # Lockout period expired, automatically unlock
@@ -26,7 +26,7 @@ module Lockable
     
     self.failed_login_attempts = (failed_login_attempts || 0) + 1
     
-    if failed_login_attempts >= PropelAuth.configuration.max_failed_attempts
+    if failed_login_attempts >= PropelAuthentication.configuration.max_failed_attempts
       lock_account!
     else
       save!
@@ -38,15 +38,17 @@ module Lockable
     update!(failed_login_attempts: 0)
   end
   
-  # Manually lock the account
+  # Manually lock the account (idempotent - won't change timestamp if already locked)
   def lock_account!
+    return if locked?  # Don't re-lock if already locked (preserves original timestamp)
+    
     update!(
       locked_at: Time.current,
-      failed_login_attempts: PropelAuth.configuration.max_failed_attempts
+      failed_login_attempts: PropelAuthentication.configuration.max_failed_attempts
     )
     
     # Send account locked email notification if enabled
-    if PropelAuth.configuration.enable_email_notifications
+    if PropelAuthentication.configuration.enable_email_notifications
       email_result = AuthNotificationService.send_account_unlock_email(self)
       
       if email_result[:success]
@@ -75,7 +77,7 @@ module Lockable
       exp: 1.hour.from_now.to_i # Unlock tokens expire in 1 hour
     }
     
-    JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
   end
   
   # Unlock account using a valid unlock token
@@ -83,7 +85,7 @@ module Lockable
     return false unless token.present?
     
     begin
-      decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      decoded_token = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
       payload = decoded_token.first
       
       # Verify token is for this user and is an unlock token
@@ -104,7 +106,7 @@ module Lockable
       return nil unless token.present?
       
       begin
-        decoded_token = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+        decoded_token = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
         payload = decoded_token.first
         
         # Check if token is expired (JWT gem handles this, but double-check)

data/lib/generators/{propel_auth/templates/concerns/propel_authentication.rb → propel_authentication/templates/concerns/propel_authentication_concern.rb}

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
-module PropelAuthentication
+module PropelAuthenticationConcern
   extend ActiveSupport::Concern
 
-  private
-
   def authenticate_user
     token = extract_jwt_token
     
@@ -19,6 +17,10 @@ module PropelAuthentication
         render json: { error: 'Invalid token' }, status: :unauthorized
         return false
       end
+      
+      # Extract organization context from JWT payload
+      extract_organization_context(token)
+      
     rescue JWT::ExpiredSignature
       render json: { error: 'Token expired' }, status: :unauthorized
       return false
@@ -34,6 +36,25 @@ module PropelAuthentication
     @current_user
   end
 
+  def current_organization_id
+    @current_organization_id
+  end
+
+  def current_organization
+    @current_organization ||= Organization.find_by(id: current_organization_id) if current_organization_id
+  end
+
+  def current_agency_ids
+    return [] unless current_user
+    
+    # Request-scoped memoization for performance without security risk
+    @current_agency_ids ||= current_user.agency_ids
+  end
+
+  def has_agency_access?(agency_id)
+    current_agency_ids.include?(agency_id.to_i)
+  end
+
   def extract_jwt_token
     auth_header = request.headers['Authorization']
     return nil unless auth_header
@@ -41,4 +62,13 @@ module PropelAuthentication
     # Extract token from "Bearer <token>" format
     auth_header.split(' ').last if auth_header.start_with?('Bearer ')
   end
+
+  private
+
+  def extract_organization_context(token)
+    decoded_token = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded_token.first
+    @current_organization_id = payload['organization_id']
+    # Removed: @current_agency_ids (now looked up in real-time via current_user_agency_ids)
+  end
 end 

data/lib/generators/{propel_auth → propel_authentication}/templates/concerns/recoverable.rb

@@ -15,12 +15,12 @@ module Recoverable
       email_address: self.email_address,
       type: 'password_reset',
       iat: now.to_f,  # Use float for higher precision
-      exp: PropelAuth.configuration.password_reset_expiration.from_now.to_i,
+      exp: PropelAuthentication.configuration.password_reset_expiration.from_now.to_i,
       password_hash: self.password_digest[0..10],  # Bind token to current password
       nonce: SecureRandom.hex(8)  # Add random nonce for uniqueness
     }
     
-    JWT.encode(payload, PropelAuth.configuration.jwt_secret, 'HS256')
+    JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
   end
 
   # Validate password reset token
@@ -28,7 +28,7 @@ module Recoverable
     return false if token.blank?
     
     begin
-      decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      decoded = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
       payload = decoded.first
       
       # Validate token structure and content
@@ -51,12 +51,22 @@ module Recoverable
   # Reset password with token validation
   def reset_password_with_token!(token, new_password, new_password_confirmation = new_password)
     return false unless valid_password_reset_token?(token)
-    return false if new_password.blank?
-    return false if new_password != new_password_confirmation
     
-    # Validate password length (configuration is a Range)
-    password_range = PropelAuth.configuration.password_length
-    return false unless password_range.include?(new_password.length)
+    if new_password.blank?
+      errors.add(:password, "cannot be blank")
+      return false
+    end
+    
+    if new_password != new_password_confirmation
+      errors.add(:password_confirmation, "doesn't match Password")
+      return false  
+    end
+    
+    # Validate password length using Rails validations (populates errors)
+    self.password = new_password
+    unless valid?
+      return false  # Rails validations populate errors automatically
+    end
     
     begin
       # Update password and clear failed login attempts
@@ -73,11 +83,11 @@ module Recoverable
 
   class_methods do
     # Find user by JWT password reset token
-    def find_user_by_password_reset_token(token)
+    def find_by_jwt_password_reset_token(token)
       return nil if token.blank?
       
       begin
-        decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+        decoded = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
         payload = decoded.first
         
         # Validate token structure
@@ -102,7 +112,7 @@ module Recoverable
     return nil if token.blank?
     
     begin
-      decoded = JWT.decode(token, PropelAuth.configuration.jwt_secret, true, { algorithm: 'HS256' })
+      decoded = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
       decoded.first['user_id']
     rescue JWT::DecodeError
       nil