propel_authentication 0.1.4 → 0.2.0

data/lib/generators/propel_authentication/templates/auth/passwords_controller.rb.tt

@@ -1,11 +1,10 @@
-<%- if api_versioned? -%>
-# Dynamic API versioning controller - inherits from base controller
-class <%= controller_namespace %>::PasswordsController < Api::Auth::BasePasswordsController
-end
-<%- else -%>
-class <%= controller_namespace %>::PasswordsController < ApplicationController
+class <%= auth_controller_class_name('passwords') %> < ApplicationController
+  <%- unless api_only_app? -%>
+  include RackSessionDisable
+  <%- end -%>
+  include PropelAuthenticationConcern
 
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Request password reset
+  # POST <%= auth_route_prefix %>/reset
   def create
     email_address = params[:email_address]
     
@@ -14,113 +13,120 @@ class <%= controller_namespace %>::PasswordsController < ApplicationController
       return render json: { error: "Email address is required" }, status: :unprocessable_entity
     end
     
-    # Validate email_address format
-    unless email_address.match?(/\A[\w+\-.]+@[a-z\d\-]+(\.[a-z\d\-]+)*\.[a-z]+\z/i)
+    # Validate email format
+    unless email_address.match?(URI::MailTo::EMAIL_REGEXP)
       return render json: { error: "Email address format is invalid" }, status: :unprocessable_entity
     end
     
-    # For security, always return the same response whether user exists or not
-    # This prevents user enumeration attacks
-    response_message = "If an account with that email address exists, password reset instructions have been sent to your email"
-    
-    # Find user by email_address and send reset email if user exists
     user = User.find_by(email_address: email_address)
     
-    if user && PropelAuth.configuration.enable_email_notifications
-      # Send password reset email using the notification service
-      email_result = AuthNotificationService.send_password_reset_email(user)
+    if user
+      # Generate and save reset token
+      user.generate_password_reset_token
       
-      # Log the result but don't expose it to prevent user enumeration
-      if email_result[:success]
-        Rails.logger.info "Password reset email sent successfully to #{email_address}"
-      else
-        Rails.logger.error "Failed to send password reset email to #{email_address}: #{email_result[:error]}"
+      # Send password reset email
+      if PropelAuthentication.configuration.enable_email_notifications
+        email_result = AuthNotificationService.send_password_reset_email(user)
+        
+        if email_result[:success]
+          Rails.logger.info "Password reset email sent successfully to #{user.email_address}"
+        else
+          Rails.logger.error "Failed to send password reset email to #{user.email_address}: #{email_result[:error]}"
+        end
       end
+      
+      render json: { 
+        message: "Password reset instructions have been sent to your email address"
+      }, status: :ok
+    else
+      # Don't reveal whether the email exists for security
+      render json: { 
+        message: "Password reset instructions have been sent to your email address"
+      }, status: :ok
     end
-    
-    # Always return the same response for security
-    render json: { message: response_message }, status: :ok
+  rescue => e
+    Rails.logger.error "Password reset creation error: #{e.message}"
+    render json: { error: "Unable to process password reset request" }, status: :unprocessable_entity
   end
 
-  # PUT <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Confirm password reset with token
-  def update
+  # GET <%= auth_route_prefix %>/reset
+  def show
     token = params[:token]
-    password = params[:password]
-    password_confirmation = params[:password_confirmation]
     
-    # Validate required parameters
     if token.blank?
-      return render json: { error: "Reset token is required" }, status: :unprocessable_entity
-    end
-    
-    if password.blank?
-      return render json: { error: "Password is required" }, status: :unprocessable_entity
-    end
-    
-    if password_confirmation.blank?
-      return render json: { error: "Password confirmation is required" }, status: :unprocessable_entity
+      render json: { error: 'Reset token is required' }, status: :unprocessable_entity
+      return
     end
     
-    # Validate password confirmation
-    if password != password_confirmation
-      return render json: { error: "Password and confirmation do not match" }, status: :unprocessable_entity
-    end
-    
-    # Find user by token
-    user = User.find_user_by_password_reset_token(token)
+    user = User.find_by_jwt_password_reset_token(token)
     
-    unless user
-      return render json: { error: "Invalid or expired reset token" }, status: :unauthorized
-    end
-    
-    # Attempt password reset
-    if user.reset_password_with_token!(token, password, password_confirmation)
+    if user
       render json: {
-        message: "Password has been reset successfully",
+        valid: true,  # Test expects this field
+        message: 'Valid reset token',
         user: {
           id: user.id,
           email_address: user.email_address,
-          username: user.username
+          token: token
         }
       }, status: :ok
     else
-      render json: { error: "Password is too short (minimum is 8 characters)" }, status: :unprocessable_entity
+      render json: { 
+        valid: false,  # Test expects this field
+        error: 'Invalid or expired reset token' 
+      }, status: :unauthorized
     end
+  rescue => e
+    Rails.logger.error "Password reset show error: #{e.message}"
+    render json: { error: 'Invalid reset token' }, status: :unauthorized
   end
 
-  # GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/reset - Verify reset token
-  def show
+  # PATCH <%= auth_route_prefix %>/reset
+  def update
     token = params[:token]
+    new_password = params[:password]
+    password_confirmation = params[:password_confirmation]
     
-    # Validate token parameter
+    # Validate required parameters
     if token.blank?
-      return render json: { error: "Token parameter is required" }, status: :unprocessable_entity
+      return render json: { error: 'Reset token is required' }, status: :unprocessable_entity
     end
     
-    # Find user by token
-    user = User.find_user_by_password_reset_token(token)
+    if new_password.blank?
+      return render json: { error: 'New password is required' }, status: :unprocessable_entity
+    end
     
-    if user
-      render json: {
-        valid: true,
+    if new_password != password_confirmation
+      return render json: { error: 'Password confirmation does not match password' }, status: :unprocessable_entity
+    end
+    
+    user = User.find_by_jwt_password_reset_token(token)
+    
+    if user.nil?
+      return render json: { error: 'Invalid or expired reset token' }, status: :unauthorized
+    end
+    
+    # Update password and clear reset token
+    if user.reset_password_with_token!(token, new_password)
+      render json: { 
+        message: 'Password has been reset successfully',
         user: {
           id: user.id,
-          email_address: user.email_address,
-          username: user.username
+          email_address: user.email_address
         }
       }, status: :ok
     else
-      render json: {
-        valid: false,
-        error: "Invalid or expired reset token"
-      }, status: :unauthorized
+      # Return specific validation errors from the user model
+      error_messages = user.errors.full_messages
+      primary_error = error_messages.first || 'Password validation failed'
+      
+      render json: { 
+        error: primary_error,  # Use specific validation message
+        details: error_messages
+      }, status: :unprocessable_entity
     end
+  rescue => e
+    Rails.logger.error "Password reset update error: #{e.message}"
+    render json: { error: 'Unable to reset password' }, status: :unprocessable_entity
   end
-
-  private
-
-  def password_reset_params
-    params.permit(:email_address, :token, :password, :password_confirmation)
-  end
-end
-<%- end -%> 
+end

data/lib/generators/propel_authentication/templates/auth/signup_controller.rb.tt

@@ -0,0 +1,242 @@
+class <%= auth_controller_class_name('signup') %> < ApplicationController
+  <%- unless api_only_app? -%>
+  include RackSessionDisable
+  <%- end -%>
+
+  # POST <%= auth_route_prefix %>/signup
+  def create
+    # Validate agency requirements if agency tenancy is enabled
+    return unless validate_agency_requirements!
+    
+    ActiveRecord::Base.transaction do
+      @organization = Organization.create!(organization_params)
+      @user = @organization.users.create!(user_params)
+      
+      # Create agency if agency tenancy is enabled and agency params provided
+      if agency_tenancy_enabled? && agency_params.present?
+        @agency = @organization.agencies.create!(agency_params)
+        
+        # Create agent relationship so user has immediate agency access
+        @user.agents.create!(
+          agency: @agency,
+          role: agent_role_param
+        )
+      end
+      
+      # Generate JWT for immediate login
+      token = @user.generate_jwt_token
+      
+      render json: { 
+        token: token,
+        user: user_response(@user),
+        organization: organization_response(@organization),
+        agency: agency_created? ? agency_response(@agency) : nil,
+        agent: agency_created? ? agent_response(@user.agents.last) : nil,
+        message: "Account created successfully! Ready to start working.",
+        next_steps: next_steps_for_user
+      }, status: :created
+    end
+  rescue ActiveRecord::RecordInvalid => e
+    render json: { 
+      error: 'Validation failed',
+      details: extract_validation_errors(e),
+      message: 'Please correct the errors and try again'
+    }, status: :unprocessable_entity
+  rescue => e
+    render json: { 
+      error: 'Account creation failed',
+      message: 'An unexpected error occurred. Please try again.'
+    }, status: :internal_server_error
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(
+      :email_address, 
+      :username, 
+      :password, 
+      :password_confirmation,
+      :first_name, 
+      :last_name, 
+      :phone_number,
+      :time_zone
+    )
+  end
+
+  def organization_params
+    params.require(:organization).permit(
+      :name, 
+      :website, 
+      :time_zone,
+      :description
+    )
+  end
+
+  def agency_params
+    return {} unless params[:agency].present?
+    
+    params.require(:agency).permit(
+      :name,
+      :phone_number,
+      :address
+    )
+  end
+
+  def agent_role_param
+    params.dig(:agent, :role) || 'owner'
+  end
+
+  def user_response(user)
+    {
+      id: user.id,
+      email_address: user.email_address,
+      username: user.username,
+      first_name: user.first_name,
+      last_name: user.last_name,
+      organization_id: user.organization_id,
+      created_at: user.created_at
+    }
+  end
+
+  def organization_response(organization)
+    {
+      id: organization.id,
+      name: organization.name,
+      website: organization.website,
+      time_zone: organization.time_zone
+    }
+  end
+
+  def agency_response(agency)
+    return nil unless agency
+    
+    {
+      id: agency.id,
+      name: agency.name,
+      organization_id: agency.organization_id
+    }
+  end
+
+  def agent_response(agent)
+    return nil unless agent
+    
+    {
+      id: agent.id,
+      user_id: agent.user_id,
+      agency_id: agent.agency_id,
+      role: agent.role,
+      created_at: agent.created_at
+    }
+  end
+
+  def agency_created?
+    defined?(@agency) && @agency.present?
+  end
+
+  def next_steps_for_user
+    steps = []
+    
+    if agency_tenancy_enabled?
+      if agency_created?
+        steps << {
+          action: 'create_additional_agencies',
+          description: 'Add more agencies to organize your team',
+          endpoint: '<%= auth_route_prefix %>/agencies',
+          method: 'POST'
+        }
+        steps << {
+          action: 'start_creating_resources',
+          description: 'Begin creating and managing your content (you can create resources immediately)',
+          endpoint: '<%= auth_route_prefix %>/',
+          note: 'Your agency is ready for resource creation'
+        }
+      else
+        steps << {
+          action: 'create_agency',
+          description: 'Create an agency to organize your resources',
+          endpoint: '<%= auth_route_prefix %>/agencies',
+          method: 'POST',
+          required: true
+        }
+      end
+      
+      steps << {
+        action: 'invite_team_members',
+        description: 'Invite colleagues to join your organization',
+                  endpoint: '<%= auth_route_prefix %>/invitations',
+        method: 'POST'
+      }
+    else
+      steps << {
+        action: 'invite_team_members',
+        description: 'Invite colleagues to join your organization',
+                  endpoint: '<%= auth_route_prefix %>/invitations',
+        method: 'POST'
+      }
+      steps << {
+        action: 'start_creating_resources',
+        description: 'Begin creating and managing your content',
+        endpoint: '<%= auth_route_prefix %>/'
+      }
+    end
+    
+    steps
+  end
+
+  def agency_tenancy_enabled?
+    # Check PropelAuthentication configuration (owns tenancy models)
+    if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
+      PropelAuthentication.configuration.agency_tenancy
+    else
+      true  # Safe default - enables agency tenancy when configuration unavailable
+    end
+  rescue => e
+    # Default to true if configuration is not available (standalone auth setup)
+    true
+  end
+
+  def extract_validation_errors(exception)
+    return {} unless exception.record
+    
+    errors = {}
+    exception.record.errors.each do |error|
+      field = error.attribute
+      errors[field] ||= []
+      errors[field] << error.full_message
+    end
+    
+    # If no specific field errors, use base errors
+    if errors.empty? && exception.record.errors.any?
+      errors[:base] = exception.record.errors.full_messages
+    end
+    
+    errors
+  end
+
+  # Validate that required agency params are present when agency tenancy is enabled
+  def validate_agency_requirements!
+    return unless agency_tenancy_enabled?
+    
+    if params[:agency].blank?
+      render json: {
+        error: 'Agency information required',
+        message: 'Agency details must be provided when agency tenancy is enabled',
+        code: 'MISSING_AGENCY_DATA',
+        hint: 'Include an "agency" object with name and other details in your request'
+      }, status: :unprocessable_entity
+      return false
+    end
+    
+    if agency_params[:name].blank?
+      render json: {
+        error: 'Agency name required',
+        message: 'Agency name is required when creating an agency',
+        code: 'MISSING_AGENCY_NAME'
+      }, status: :unprocessable_entity
+      return false
+    end
+    
+    true
+  end
+end

data/lib/generators/propel_authentication/templates/{tokens_controller.rb.tt → auth/tokens_controller.rb.tt}

@@ -1,18 +1,22 @@
-<%- if api_versioned? -%>
-# Dynamic API versioning controller - inherits from base controller
-class <%= controller_namespace %>::TokensController < Api::Auth::BaseTokensController
-end
-<%- else -%>
-class <%= controller_namespace %>::TokensController < ApplicationController
+class <%= auth_controller_class_name('tokens') %> < ApplicationController
   <%- unless api_only_app? -%>
   include RackSessionDisable
   <%- end -%>
-  include PropelAuthentication
+  include PropelAuthenticationConcern
 
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/login
+  before_action :authenticate_user, only: [:show, :refresh]
+  before_action :validate_login_parameters, only: [:create]
+
+  # POST <%= auth_route_prefix %>/login
   def create
     user = User.find_by(email_address: params[:user][:email_address])
     
+    # Check if user exists and account is locked
+    if user&.respond_to?(:locked?) && user.locked?
+      render json: { error: 'Account is locked due to too many failed login attempts' }, status: :locked
+      return
+    end
+    
     if user&.authenticate(params[:user][:password])
       if user.status == 1  # inactive
         render json: { error: 'Account is inactive' }, status: :unauthorized
@@ -22,17 +26,17 @@ class <%= controller_namespace %>::TokensController < ApplicationController
       # Update last login timestamp
       user.update(last_login_at: Time.current)
       
-      # Reset failed login attempts on successful login
-      user.reset_failed_attempts! if user.respond_to?(:reset_failed_attempts!)
+      # Reset failed login attempts on successful login (no bang!)
+      user.reset_failed_attempts if user.respond_to?(:reset_failed_attempts)
       
       render json: {
         token: user.generate_jwt_token,
         user: user_response(user)
       }, status: :ok
     else
-      # Increment failed login attempts if user exists and has lockable functionality
-      if user&.respond_to?(:increment_failed_attempts!)
-        user.increment_failed_attempts!
+      # Increment failed login attempts if user exists and has lockable functionality (no bang!)
+      if user&.respond_to?(:increment_failed_attempts)
+        user.increment_failed_attempts
       end
       
       render json: { error: 'Invalid credentials' }, status: :unauthorized
@@ -41,24 +45,26 @@ class <%= controller_namespace %>::TokensController < ApplicationController
     render json: { error: 'Missing required parameters' }, status: :unprocessable_entity
   end
 
-  # DELETE <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/logout
+  # DELETE <%= auth_route_prefix %>/logout
   def destroy
     # For JWT, logout is handled client-side by removing the token
     # Server-side logout would require token blacklisting (future enhancement)
     render json: { message: 'Logged out successfully' }, status: :ok
   end
 
-  # GET <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/me
-  def me
-    return unless authenticate_user
-    render json: { user: user_response(current_user) }, status: :ok
+  # GET <%= auth_route_prefix %>/me
+  def show
+    render json: {
+      user: user_response(@current_user)
+    }, status: :ok
   end
 
+  # POST <%= auth_route_prefix %>/refresh
   def refresh
     render json: { token: @current_user.generate_jwt_token }
   end
 
-  # POST <%= api_versioned? ? "/#{api_namespace}" : "" %>/auth/unlock
+  # POST <%= auth_route_prefix %>/unlock
   def unlock
     token = params[:token]
     
@@ -71,7 +77,10 @@ class <%= controller_namespace %>::TokensController < ApplicationController
     
     if user
       user.unlock_account!
-      render json: { message: 'Account unlocked successfully' }, status: :ok
+      render json: { 
+        message: 'Account unlocked successfully',
+        user: user_response(user)
+      }, status: :ok
     else
       render json: { error: 'Invalid or expired unlock token' }, status: :unauthorized
     end
@@ -88,9 +97,17 @@ class <%= controller_namespace %>::TokensController < ApplicationController
       username: user.username,
       first_name: user.first_name,
       last_name: user.last_name,
+      status: user.status,
       organization_id: user.organization_id,
+      agency_ids: user.agency_ids,
+      confirmed_at: user.confirmed_at,
       last_login_at: user.last_login_at
     }
   end
-end
-<%- end -%> 
+
+  def validate_login_parameters
+    unless params[:user].present? && params[:user][:email_address].present? && params[:user][:password].present?
+      render json: { error: 'Email address and password are required' }, status: :unprocessable_entity
+    end
+  end
+end

data/lib/generators/propel_authentication/templates/auth_mailer.rb

@@ -85,6 +85,7 @@ class AuthMailer < ApplicationMailer
     @organization_name = organization_name(@user)
     @display_name = display_name(@user)
     @support_email = support_email
+    @confirmation_url = confirmation_url(@user)
     
     # Validate required parameters
     raise ArgumentError, "User is required" unless @user
@@ -167,7 +168,8 @@ class AuthMailer < ApplicationMailer
   # Generate confirmation URL with token
   def confirmation_url(user)
     token = user.confirmation_token
-    base_url = PropelAuthentication.configuration.frontend_url || "#{request.protocol}#{request.host_with_port}"
+    base_url = PropelAuthentication.configuration.frontend_url || 
+               (defined?(request) ? "#{request.protocol}#{request.host_with_port}" : "http://localhost:3000")
     "#{base_url}/auth/confirm?token=#{token}"
   end
 

data/lib/generators/propel_authentication/templates/authenticatable.rb

@@ -7,17 +7,23 @@ module Authenticatable
     validates :password, presence: true, length: { minimum: 8 }, if: :password_digest_changed?
   end
 
-  # Generate JWT token for user authentication
+    # Generate JWT token for user authentication with minimal claims
   def generate_jwt_token
     payload = {
       user_id: id,
       email_address: email_address,
       organization_id: organization_id,
+      # Removed: agency_ids (now looked up in real-time for better security)
       iat: Time.now.to_i,
       exp: PropelAuthentication.configuration.jwt_expiration.from_now.to_i
     }
     
-          JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
+    JWT.encode(payload, PropelAuthentication.configuration.jwt_secret, 'HS256')
+  end
+
+  # Get all agency IDs this user has access to through agent profiles
+  def agency_ids
+    agents.pluck(:agency_id)
   end
 
   class_methods do

data/lib/generators/propel_authentication/templates/concerns/confirmable.rb

@@ -73,7 +73,7 @@ module Confirmable
 
   def generate_confirmation_token
     self.confirmation_token = generate_secure_token
-    self.confirmation_sent_at = Time.current
+    # Don't set confirmation_sent_at here - it will be set when email is actually sent
   end
 
   def generate_confirmation_token_if_email_changed

data/lib/generators/propel_authentication/templates/concerns/lockable.rb

@@ -38,15 +38,17 @@ module Lockable
     update!(failed_login_attempts: 0)
   end
   
-  # Manually lock the account
+  # Manually lock the account (idempotent - won't change timestamp if already locked)
   def lock_account!
+    return if locked?  # Don't re-lock if already locked (preserves original timestamp)
+    
     update!(
       locked_at: Time.current,
       failed_login_attempts: PropelAuthentication.configuration.max_failed_attempts
     )
     
     # Send account locked email notification if enabled
-    if PropelAuth.configuration.enable_email_notifications
+    if PropelAuthentication.configuration.enable_email_notifications
       email_result = AuthNotificationService.send_account_unlock_email(self)
       
       if email_result[:success]