propel_authentication 0.1.4 → 0.2.0

data/lib/generators/propel_authentication/templates/concerns/{propel_authentication.rb → propel_authentication_concern.rb}

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
-module PropelAuthentication
+module PropelAuthenticationConcern
   extend ActiveSupport::Concern
 
-  private
-
   def authenticate_user
     token = extract_jwt_token
     
@@ -19,6 +17,10 @@ module PropelAuthentication
         render json: { error: 'Invalid token' }, status: :unauthorized
         return false
       end
+      
+      # Extract organization context from JWT payload
+      extract_organization_context(token)
+      
     rescue JWT::ExpiredSignature
       render json: { error: 'Token expired' }, status: :unauthorized
       return false
@@ -34,6 +36,25 @@ module PropelAuthentication
     @current_user
   end
 
+  def current_organization_id
+    @current_organization_id
+  end
+
+  def current_organization
+    @current_organization ||= Organization.find_by(id: current_organization_id) if current_organization_id
+  end
+
+  def current_agency_ids
+    return [] unless current_user
+    
+    # Request-scoped memoization for performance without security risk
+    @current_agency_ids ||= current_user.agency_ids
+  end
+
+  def has_agency_access?(agency_id)
+    current_agency_ids.include?(agency_id.to_i)
+  end
+
   def extract_jwt_token
     auth_header = request.headers['Authorization']
     return nil unless auth_header
@@ -41,4 +62,13 @@ module PropelAuthentication
     # Extract token from "Bearer <token>" format
     auth_header.split(' ').last if auth_header.start_with?('Bearer ')
   end
+
+  private
+
+  def extract_organization_context(token)
+    decoded_token = JWT.decode(token, PropelAuthentication.configuration.jwt_secret, true, { algorithm: 'HS256' })
+    payload = decoded_token.first
+    @current_organization_id = payload['organization_id']
+    # Removed: @current_agency_ids (now looked up in real-time via current_user_agency_ids)
+  end
 end 

data/lib/generators/propel_authentication/templates/concerns/recoverable.rb

@@ -51,12 +51,22 @@ module Recoverable
   # Reset password with token validation
   def reset_password_with_token!(token, new_password, new_password_confirmation = new_password)
     return false unless valid_password_reset_token?(token)
-    return false if new_password.blank?
-    return false if new_password != new_password_confirmation
     
-    # Validate password length (configuration is a Range)
-    password_range = PropelAuthentication.configuration.password_length
-    return false unless password_range.include?(new_password.length)
+    if new_password.blank?
+      errors.add(:password, "cannot be blank")
+      return false
+    end
+    
+    if new_password != new_password_confirmation
+      errors.add(:password_confirmation, "doesn't match Password")
+      return false  
+    end
+    
+    # Validate password length using Rails validations (populates errors)
+    self.password = new_password
+    unless valid?
+      return false  # Rails validations populate errors automatically
+    end
     
     begin
       # Update password and clear failed login attempts
@@ -73,7 +83,7 @@ module Recoverable
 
   class_methods do
     # Find user by JWT password reset token
-    def find_user_by_password_reset_token(token)
+    def find_by_jwt_password_reset_token(token)
       return nil if token.blank?
       
       begin

data/lib/generators/propel_authentication/templates/core/configuration_methods.rb

@@ -3,6 +3,21 @@
 ##
 # Module providing configuration detection and validation for PropelAuthentication generators
 #
+# INDEPENDENCE ARCHITECTURE:
+# - PropelAuthentication works completely standalone with sensible defaults
+# - PropelApi integration is OPTIONAL - when both gems are present, PropelAuthentication
+#   adopts PropelApi's namespace/version for consistency
+# - Neither gem requires the other as a dependency
+# - Graceful fallback ensures no errors when either gem is missing
+#
+# STANDALONE DEFAULTS:
+# - PropelAuthentication: Clean URLs (/login, /me, /signup) for simplicity
+# - PropelApi: REST convention (/api/v1/resources) for standard API patterns
+#
+# INTEGRATION BENEFITS:
+# - When both gems are used together, authentication routes automatically align
+#   with API namespace structure for consistent developer experience
+#
 module PropelAuthentication
   module ConfigurationMethods
     
@@ -18,6 +33,11 @@ module PropelAuthentication
                         default: nil,
                         desc: "Authentication version (e.g., 'v1', 'v2'). Use 'none' for no versioning. Defaults to PropelAuthentication configuration."
 
+      base.class_option :auth_scope,
+                        type: :string,
+                        default: nil,
+                        desc: "Authentication scope namespace (e.g., 'auth', 'admin'). Use 'none' for no auth scope. Defaults to nil for clean URLs."
+
       # Legacy support for existing --api-version option
       base.class_option :api_version,
                         type: :string,
@@ -27,75 +47,67 @@ module PropelAuthentication
 
     protected
 
-          # Initialize shared PropelAuthentication settings used across all generators
-    def initialize_propel_auth_settings
-      @auth_namespace = determine_auth_namespace
-      @auth_version = determine_auth_version
-    end
 
-    # Determine the authentication namespace to use
-    # Priority order:
-    # 1. Command line option (--namespace)
-    # 2. PropelAuthentication configuration (if exists)
-    # 3. Default fallback (nil for clean URLs like /login)
-    def determine_auth_namespace
-      if options[:namespace] == 'none'
-        return nil
-      end
-      
-      if options[:namespace].present?
-        return options[:namespace]
-      end
-      
-      # Try to read from PropelAuthentication configuration
-      begin
-        if defined?(PropelAuthentication) && PropelAuthentication.configuration.respond_to?(:namespace)
-          config_namespace = PropelAuthentication.configuration.namespace
-          return config_namespace if config_namespace.present? && config_namespace != 'none'
-        end
-      rescue => e
-        # Configuration not available, continue to default
-      end
-      
-      # Default fallback - no namespace for clean URLs
-      nil
+
+    # Single method to determine all authentication configuration
+    # Handles namespace, version, and auth_scope with consistent priority logic
+    def determine_configuration
+      @auth_namespace = determine_config_value(:namespace, nil)
+      @auth_version = determine_config_value(:version, nil) 
+      @auth_scope = determine_config_value(:auth_scope, nil)
     end
 
-    # Determine the authentication version to use
-    # Priority order:
-    # 1. Command line option (--version or legacy --api-version)
-    # 2. PropelAuthentication configuration (if exists)  
-    # 3. Default fallback (nil for clean URLs like /login)
-    def determine_auth_version
-      # Check for 'none' in either option
-      if options[:version] == 'none' || options[:api_version] == 'none'
+    # Generic configuration value determination with consistent priority
+    # Priority: 1) Command line, 2) PropelAuthentication config, 3) PropelApi config (optional), 4) Default
+    def determine_config_value(config_key, default_value)
+      option_key = config_key.to_s.gsub('_', '-').to_sym
+      
+      # 1. Explicit command line override
+      if options[option_key] == 'none'
         return nil
       end
       
-      # Check explicit version option first
-      if options[:version].present?
-        return options[:version]
+      if options[option_key].present?
+        return options[option_key]
       end
       
-      # Check legacy api_version option
-      if options[:api_version].present?
-        return options[:api_version]
+      # Legacy support for --api-version
+      if config_key == :version && options[:api_version].present?
+        return options[:api_version] unless options[:api_version] == 'none'
       end
       
-      # Try to read from PropelAuthentication configuration
+      # 2. Try PropelAuthentication configuration
       begin
-        if defined?(PropelAuthentication) && PropelAuthentication.configuration.respond_to?(:version)
-          config_version = PropelAuthentication.configuration.version
-          return config_version if config_version.present? && config_version != 'none'
+        if defined?(PropelAuthentication) && 
+           PropelAuthentication.respond_to?(:configuration) &&
+           PropelAuthentication.configuration.respond_to?(config_key)
+          config_value = PropelAuthentication.configuration.send(config_key)
+          return config_value if config_value.present? && config_value != 'none'
         end
-      rescue => e
-        # Configuration not available, continue to default
+      rescue StandardError
+        # Configuration not available, continue
       end
       
-      # Default fallback - no version for clean URLs
-      nil
+      # 3. OPTIONAL: Try PropelApi for namespace/version consistency (when both gems are used)
+      if [:namespace, :version].include?(config_key)
+        begin
+          if defined?(PropelApi) && 
+             PropelApi.respond_to?(:configuration) &&
+             PropelApi.configuration.respond_to?(config_key)
+            api_value = PropelApi.configuration.send(config_key)
+            return api_value if api_value.present? && api_value != 'none'
+          end
+        rescue StandardError
+          # PropelApi not available - this is fine, PropelAuthentication works independently
+        end
+      end
+      
+      # 4. Sensible default
+      default_value
     end
 
+
+
     # Display helpers for logging
     def namespace_display
       @auth_namespace.present? ? @auth_namespace : 'none'
@@ -105,21 +117,32 @@ module PropelAuthentication
       @auth_version.present? ? @auth_version : 'none'
     end
 
-    # Authentication route path generation
+    def auth_scope_display
+      @auth_scope.present? ? @auth_scope : 'none'
+    end
+
+    # Authentication route path generation - single source of truth for complete route paths
     def auth_route_prefix
       path_parts = []
       path_parts << @auth_namespace if @auth_namespace.present?
       path_parts << @auth_version if @auth_version.present?
+      path_parts << @auth_scope if @auth_scope.present?
+      
       return '/' if path_parts.empty?
       '/' + path_parts.join('/')
     end
 
-    # Authentication controller namespace generation
-    def auth_controller_namespace
+
+    # Single method to generate controller class names for all cases
+    # Handles both regular controllers and versioned controllers  
+    def auth_controller_class_name(controller_type = 'tokens', version = nil)
       class_parts = []
       class_parts << @auth_namespace.camelize if @auth_namespace.present?
-      class_parts << @auth_version.upcase if @auth_version.present?
-      class_parts.empty? ? 'Auth' : class_parts.join('::') + '::Auth'
+      class_parts << (version || @auth_version).upcase if (version || @auth_version).present?
+      class_parts << @auth_scope.camelize if @auth_scope.present?
+      class_parts << "#{controller_type.camelize}Controller"
+      
+      class_parts.join('::')
     end
 
     # Authentication controller directory path
@@ -140,12 +163,29 @@ module PropelAuthentication
       defined?(Rails.application.config.api_only) && Rails.application.config.api_only
     end
 
-    def controller_namespace
-      if api_versioned?
-        auth_controller_namespace
-      else
-        'Auth'
-      end
+    # Extract namespace prefix for test class names (includes trailing :: when needed)
+    # E.g., "Api::V1::Auth::TokensController" → "Api::V1::Auth::"
+    # E.g., "TokensController" → "" (empty, no namespace)
+    def controller_namespace(controller_type)
+      controller_class = auth_controller_class_name(controller_type)
+      namespace_parts = controller_class.split('::')[0..-2]   # Remove "TokensController" part
+      
+      # Return namespace with trailing :: or empty string
+      namespace_parts.empty? ? '' : namespace_parts.join('::') + '::'
+    end
+
+    # Build dynamic controller file path based on current configuration
+    # E.g., Api::V1::Auth::TokensController → app/controllers/api/v1/auth/tokens_controller.rb
+    def controller_file_path(controller_type)
+      controller_class = auth_controller_class_name(controller_type)
+      
+      # Convert class name to file path
+      path_parts = ['app', 'controllers']
+      namespace_parts = controller_class.split('::')[0..-2] # Remove "TokensController" part
+      namespace_parts.each { |part| path_parts << part.downcase }
+      path_parts << "#{controller_type}_controller.rb"
+      
+      path_parts.join('/')
     end
   end
 end 

data/lib/generators/propel_authentication/templates/db/seeds.rb

@@ -8,12 +8,26 @@
 #     MovieGenre.find_or_create_by!(name: genre_name)
 #   end
 
-# Create test organization and user for authentication testing
+# Create comprehensive tenancy structure for authentication testing
+puts "🏢 Creating test organization structure..."
+
 organization = Organization.find_or_create_by!(name: 'Test Organization') do |org|
   org.website = 'https://test.example.com'
   org.time_zone = 'UTC'
 end
 
+# Create agencies for proper tenancy structure
+main_agency = Agency.find_or_create_by!(name: 'Main Department', organization: organization) do |agency|
+  agency.phone_number = '+1-555-0101'
+  agency.address = '123 Main Street'
+end
+
+support_agency = Agency.find_or_create_by!(name: 'Support Department', organization: organization) do |agency|
+  agency.phone_number = '+1-555-0102'
+  agency.address = '123 Support Street'
+end
+
+# Create test users with proper confirmations
 user = User.find_or_create_by!(email_address: 'test@example.com') do |u|
   u.username = 'testuser'
   u.email_address = 'test@example.com'
@@ -22,8 +36,40 @@ user = User.find_or_create_by!(email_address: 'test@example.com') do |u|
   u.organization = organization
   u.first_name = 'Test'
   u.last_name = 'User'
+  u.confirmed_at = 1.week.ago  # Confirmed user for easier testing
+end
+
+admin_user = User.find_or_create_by!(email_address: 'admin@example.com') do |u|
+  u.username = 'adminuser'
+  u.email_address = 'admin@example.com'
+  u.password = 'password123'
+  u.password_confirmation = 'password123'
+  u.organization = organization
+  u.first_name = 'Admin'
+  u.last_name = 'User'
+  u.confirmed_at = 1.week.ago  # Confirmed admin for easier testing
+end
+
+# Create agent associations for agency access (CRITICAL for tenancy validation)
+Agent.find_or_create_by!(user: user, agency: main_agency) do |agent|
+  agent.role = 'member'
+end
+
+Agent.find_or_create_by!(user: admin_user, agency: main_agency) do |agent|
+  agent.role = 'manager'
+end
+
+Agent.find_or_create_by!(user: admin_user, agency: support_agency) do |agent|
+  agent.role = 'admin'
 end
 
-puts "Created test organization: #{organization.name}"
-puts "Created test user: #{user.email_address} (password: password123)"
-puts "You can now test login with POST /auth/login"
+puts "✅ Created test organization: #{organization.name}"
+puts "✅ Created agencies: #{Agency.where(organization: organization).pluck(:name).join(', ')}"
+puts "✅ Created test user: #{user.email_address} (password: password123)"
+puts "✅ Created admin user: #{admin_user.email_address} (password: password123)"
+puts "✅ Created agent associations for proper tenancy access"
+puts ""
+puts "🎯 Test user agency access: #{user.agency_ids}"
+puts "🎯 Admin user agency access: #{admin_user.agency_ids}"
+puts ""
+puts "🚀 You can now test login with POST /api/v1/login"