rails-auth-eassy 0.1.1

data/app/controllers/rails/auth/sessions_controller.rb

@@ -0,0 +1,69 @@
+module Rails
+  module Auth
+    class SessionsController < ApplicationController
+      skip_before_action :authenticate_user!, only: [ :new, :create ]
+
+      def new
+      end
+
+      def create
+        user = Rails::Auth.user_class.find_by(email: params[:email])
+
+        if user&.access_locked?
+          respond_to do |format|
+            format.html { redirect_to new_session_path, alert: "Your account is locked. Please check your email for unlock instructions." }
+            format.json { render json: { error: "Account locked" }, status: :locked }
+          end
+          return
+        end
+
+        if user&.authenticate(params[:password])
+          unless user.confirmed?
+            respond_to do |format|
+              format.html { redirect_to new_session_path, alert: "Please confirm your email address before signing in." }
+              format.json { render json: { error: "Email not confirmed" }, status: :unauthorized }
+            end
+            return
+          end
+
+          user.update(failed_attempts: 0) # Reset on success
+
+          if user.otp_enabled?
+            session[:otp_user_id] = user.id
+            respond_to do |format|
+              format.html { redirect_to new_otp_verification_path }
+              format.json { render json: { mfa_required: true }, status: :accepted }
+            end
+          else
+            sign_in(user)
+            respond_to do |format|
+              format.html { redirect_to main_app.root_path, notice: "Signed in successfully." }
+              format.json { render json: { token: Rails::Auth.encode_jwt(user_id: user.id), user: user.as_json(only: [ :id, :email, :role ]) } }
+            end
+          end
+        else
+          if user
+            user.increment_failed_attempts!
+            user.log_security_event!(:login_failed, request)
+            message = user.access_locked? ? "Account locked. Check your email." : "Invalid email or password."
+          else
+            message = "Invalid email or password."
+          end
+
+          respond_to do |format|
+            format.html do
+              flash.now[:alert] = message
+              render :new, status: :unprocessable_entity
+            end
+            format.json { render json: { error: message }, status: :unauthorized }
+          end
+        end
+      end
+
+      def destroy
+        sign_out
+        redirect_to main_app.root_path, notice: "Signed out successfully."
+      end
+    end
+  end
+end

data/app/controllers/rails/auth/unlocks_controller.rb

@@ -0,0 +1,17 @@
+module Rails
+  module Auth
+    class UnlocksController < ApplicationController
+      skip_before_action :authenticate_user!
+
+      def show
+        user = Rails::Auth.user_class.find_by(unlock_token: params[:unlock_token])
+        if user
+          user.unlock_access!
+          redirect_to new_session_path, notice: "Your account has been unlocked. Please sign in."
+        else
+          redirect_to new_session_path, alert: "Invalid unlock token."
+        end
+      end
+    end
+  end
+end

data/app/helpers/rails/auth/application_helper.rb

@@ -0,0 +1,6 @@
+module Rails
+  module Auth
+    module ApplicationHelper
+    end
+  end
+end

data/app/jobs/rails/auth/application_job.rb

@@ -0,0 +1,6 @@
+module Rails
+  module Auth
+    class ApplicationJob < ActiveJob::Base
+    end
+  end
+end

data/app/mailers/rails/auth/application_mailer.rb

@@ -0,0 +1,8 @@
+module Rails
+  module Auth
+    class ApplicationMailer < ActionMailer::Base
+      default from: "from@example.com"
+      layout "mailer"
+    end
+  end
+end

data/app/mailers/rails/auth/user_mailer.rb

@@ -0,0 +1,20 @@
+module Rails
+  module Auth
+    class UserMailer < ApplicationMailer
+      def password_reset(user)
+        @user = user
+        mail to: user.email, subject: "Password Reset Instructions"
+      end
+
+      def confirmation_instructions(user)
+        @user = user
+        mail to: user.email, subject: "Confirmation Instructions"
+      end
+
+      def unlock_instructions(user)
+        @user = user
+        mail to: user.email, subject: "Unlock Instructions"
+      end
+    end
+  end
+end

data/app/models/concerns/rails/auth/authenticatable.rb

@@ -0,0 +1,107 @@
+module Rails
+  module Auth
+    module Authenticatable
+      extend ActiveSupport::Concern
+included do
+  has_secure_password
+  has_many :sessions, class_name: Rails::Auth.session_class_name, dependent: :destroy
+  has_many :security_events, class_name: "Rails::Auth::SecurityEvent", dependent: :destroy
+
+  validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
+
+  validates :password, allow_nil: true, length: { minimum: 8 }
+
+  enum :role, { user: 0, moderator: 1, admin: 2 }
+  has_one_attached :avatar
+
+  before_create :generate_confirmation_token, unless: :confirmed?
+end
+
+# Confirmable
+def confirm!
+  update!(confirmed_at: Time.current, confirmation_token: nil)
+end
+
+def confirmed?
+  confirmed_at.present?
+end
+
+def generate_confirmation_token
+  self.confirmation_token = SecureRandom.hex(20)
+  self.confirmation_sent_at = Time.current
+end
+
+def send_confirmation_instructions
+  generate_confirmation_token
+  save!
+  Rails::Auth::UserMailer.confirmation_instructions(self).deliver_now
+end
+
+# Lockable
+def lock_access!
+  update!(locked_at: Time.current, unlock_token: SecureRandom.hex(20))
+  Rails::Auth::UserMailer.unlock_instructions(self).deliver_now
+end
+
+def unlock_access!
+  update!(locked_at: nil, failed_attempts: 0, unlock_token: nil)
+end
+
+def access_locked?
+  locked_at.present? && locked_at > 1.hour.ago
+end
+
+def increment_failed_attempts!
+  self.failed_attempts += 1
+  if failed_attempts >= 5
+    lock_access!
+  else
+    save!
+  end
+end
+
+# MFA
+def generate_otp_secret!
+  update!(otp_secret: ::ROTP::Base32.random)
+end
+
+def verify_otp(code)
+  return false unless otp_secret.present?
+  totp = ::ROTP::TOTP.new(otp_secret, issuer: "RailsAuth")
+  totp.verify(code, drift_behind: 15)
+end
+
+def otp_provisioning_uri
+  totp = ::ROTP::TOTP.new(otp_secret, issuer: "RailsAuth")
+  totp.provisioning_uri(email)
+end
+
+def log_security_event!(event_type, request = nil, details = {})
+  security_events.create!(
+    event_type: event_type,
+    ip_address: request&.remote_ip,
+    user_agent: request&.user_agent,
+    details: details
+  )
+end
+
+      # Password Reset
+
+
+      def generate_password_reset_token!
+        update!(
+          reset_token: SecureRandom.hex(20),
+          reset_sent_at: Time.current
+        )
+      end
+
+      def password_reset_token_valid?
+        reset_sent_at.present? && reset_sent_at > 2.hours.ago
+      end
+
+      def clear_password_reset_token!
+        update!(reset_token: nil, reset_sent_at: nil)
+      end
+    end
+  end
+end

data/app/models/concerns/rails/auth/sessionable.rb

@@ -0,0 +1,30 @@
+module Rails
+  module Auth
+    module Sessionable
+      extend ActiveSupport::Concern
+
+      included do
+        belongs_to :user, class_name: Rails::Auth.user_class_name
+
+        before_create :generate_token
+        before_create :set_device_info
+
+        scope :active, -> { where("last_active_at > ?", 1.month.ago) }
+      end
+
+      private
+
+      def generate_token
+        self.token = SecureRandom.hex(32)
+      end
+
+      def set_device_info
+        if user_agent.present?
+          ua = UserAgent.parse(user_agent)
+          self.browser = "#{ua.browser} #{ua.version}"
+          self.os = ua.platform
+        end
+      end
+    end
+  end
+end

data/app/models/rails/auth/application_record.rb

@@ -0,0 +1,7 @@
+module Rails
+  module Auth
+    class ApplicationRecord < ActiveRecord::Base
+      self.abstract_class = true
+    end
+  end
+end

data/app/models/rails/auth/current.rb

@@ -0,0 +1,7 @@
+module Rails
+  module Auth
+    class Current < ActiveSupport::CurrentAttributes
+      attribute :user, :session
+    end
+  end
+end

data/app/models/rails/auth/security_event.rb

@@ -0,0 +1,25 @@
+module Rails
+  module Auth
+    class SecurityEvent < ApplicationRecord
+      self.table_name = "security_events"
+
+      belongs_to :user, class_name: Rails::Auth.user_class_name
+
+      validates :event_type, presence: true
+
+      enum :event_type, {
+        login_success: "login_success",
+        login_failed: "login_failed",
+        logout: "logout",
+        password_changed: "password_changed",
+        password_reset_requested: "password_reset_requested",
+        mfa_enabled: "mfa_enabled",
+        mfa_disabled: "mfa_disabled",
+        account_locked: "account_locked",
+        account_unlocked: "account_unlocked",
+        impersonation_started: "impersonation_started",
+        impersonation_stopped: "impersonation_stopped"
+      }
+    end
+  end
+end

data/app/views/layouts/rails/auth/application.html.erb

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails auth</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= yield :head %>
+
+  <%= stylesheet_link_tag    "rails/auth/application", media: "all" %>
+</head>
+<body>
+  <% if impersonating? %>
+    <div style="background: #ffcc00; padding: 10px; text-align: center;">
+      You are currently impersonating <strong><%= current_user.email %></strong>.
+      <%= button_to "Stop Impersonation", rails_auth.stop_impersonations_path, method: :delete, style: "margin-left: 10px;" %>
+    </div>
+  <% end %>
+
+  <% flash.each do |type, message| %>
+    <div class="flash flash-<%= type %>">
+      <%= message %>
+    </div>
+  <% end %>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/rails/auth/mfa/show.html.erb

@@ -0,0 +1,24 @@
+<h2>Two-Factor Authentication (MFA)</h2>
+
+<% if current_user.otp_enabled? %>
+  <p>Two-factor authentication is currently enabled.</p>
+  <%= button_to "Disable MFA", rails_auth.mfa_path, method: :delete, data: { confirm: "Are you sure?" } %>
+<% else %>
+  <p>To enable two-factor authentication, scan the QR code below with your authenticator app (Google Authenticator, Authy, etc.):</p>
+  
+  <div>
+    <%= @qrcode.as_svg(module_size: 4).html_safe %>
+  </div>
+
+  <p>After scanning, enter the 6-digit code from your app to verify:</p>
+
+  <%= form_with url: rails_auth.mfa_path do |f| %>
+    <div>
+      <%= f.label :otp_code, "Verification Code" %>
+      <%= f.text_field :otp_code, autocomplete: "one-time-code" %>
+    </div>
+    <%= f.submit "Verify and Enable MFA" %>
+  <% end %>
+<% end %>
+
+<%= link_to "Back to Security", rails_auth.security_sessions_path %>

data/app/views/rails/auth/otp_verifications/new.html.erb

@@ -0,0 +1,13 @@
+<h2>Two-Factor Authentication</h2>
+
+<p>Enter the 6-digit code from your authenticator app to complete sign in.</p>
+
+<%= form_with url: rails_auth.otp_verification_path do |f| %>
+  <div>
+    <%= f.label :otp_code, "Verification Code" %>
+    <%= f.text_field :otp_code, autofocus: true, autocomplete: "one-time-code" %>
+  </div>
+  <%= f.submit "Verify and Sign In" %>
+<% end %>
+
+<%= link_to "Cancel", rails_auth.new_session_path %>

data/app/views/rails/auth/password_resets/edit.html.erb

@@ -0,0 +1,28 @@
+<h2>Reset Password</h2>
+
+<%= form_with model: @user, url: rails_auth.password_reset_path(@user.reset_token), method: :patch do |f| %>
+  <% if @user.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
+      <ul>
+        <% @user.errors.full_messages.each do |message| %>
+          <li><%= message %></li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.submit "Update Password" %>
+  </div>
+<% end %>

data/app/views/rails/auth/password_resets/new.html.erb

@@ -0,0 +1,14 @@
+<h2>Forgot Password</h2>
+
+<%= form_with url: rails_auth.password_resets_path do |f| %>
+  <div>
+    <%= f.label :email %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+  </div>
+
+  <div>
+    <%= f.submit "Send reset instructions" %>
+  </div>
+<% end %>
+
+<%= link_to "Back to Sign in", rails_auth.new_session_path %>

data/app/views/rails/auth/profiles/edit.html.erb

@@ -0,0 +1,44 @@
+<h2>Edit Profile</h2>
+
+<%= form_with model: @user, url: rails_auth.profile_path, method: :patch do |f| %>
+  <% if @user.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this profile from being saved:</h2>
+      <ul>
+        <% @user.errors.full_messages.each do |message| %>
+          <li><%= message %></li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div>
+    <% if @user.avatar.attached? %>
+      <%= image_tag @user.avatar.variant(resize_to_limit: [100, 100]) %>
+    <% end %>
+    <%= f.label :avatar %>
+    <%= f.file_field :avatar %>
+  </div>
+
+  <div>
+    <%= f.label :email %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+  </div>
+
+  <div>
+    <%= f.label :password %>
+    <i>(leave blank if you don't want to change it)</i>
+    <%= f.password_field :password, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.submit "Update Profile" %>
+  </div>
+<% end %>
+
+<%= link_to "Back to Security", rails_auth.security_sessions_path %>

data/app/views/rails/auth/registrations/new.html.erb

@@ -0,0 +1,40 @@
+<h2>Sign up</h2>
+
+<%= form_with model: @user, url: rails_auth.registration_path do |f| %>
+  <% if @user.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
+      <ul>
+        <% @user.errors.full_messages.each do |message| %>
+          <li><%= message %></li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div>
+    <%= f.label :email %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+  </div>
+
+  <div>
+    <%= f.label :avatar %>
+    <%= f.file_field :avatar %>
+  </div>
+
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+  </div>
+
+  <div>
+    <%= f.submit "Sign up" %>
+  </div>
+<% end %>
+
+<%= link_to "Sign in", rails_auth.new_session_path %>

data/app/views/rails/auth/security/sessions.html.erb

@@ -0,0 +1,92 @@
+<h2>Account Security</h2>
+
+<div style="margin-bottom: 20px;">
+  <% if current_user.avatar.attached? %>
+    <%= image_tag current_user.avatar.variant(resize_to_limit: [100, 100]), style: "border-radius: 50%;" %>
+  <% else %>
+    <div style="width: 100px; height: 100px; background: #eee; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
+      No Avatar
+    </div>
+  <% end %>
+  <p><strong><%= current_user.email %></strong> (<%= current_user.role.capitalize %>)</p>
+  <%= link_to "Edit Profile & Avatar", rails_auth.edit_profile_path %>
+</div>
+
+<hr>
+
+<h2>Security Audit Log</h2>
+
+<table>
+  <thead>
+    <tr>
+      <th>Event</th>
+      <th>IP Address</th>
+      <th>Date</th>
+      <th>Details</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% current_user.security_events.order(created_at: :desc).limit(20).each do |event| %>
+      <tr>
+        <td><%= event.event_type.titleize %></td>
+        <td><%= event.ip_address %></td>
+        <td><%= event.created_at.strftime("%Y-%m-%d %H:%M:%S") %></td>
+        <td><small><%= event.details %></small></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<hr>
+
+<h2>Active Sessions</h2>
+
+<%= button_to "Sign out of all devices", rails_auth.revoke_all_sessions_path, method: :delete, data: { confirm: "Are you sure? This will sign you out of all devices including this one." } %>
+
+<hr>
+
+<div>
+  <strong>Two-Factor Authentication (MFA)</strong>
+  <% if current_user.otp_enabled? %>
+    <span style="color: green;">Enabled</span>
+  <% else %>
+    <span style="color: red;">Disabled</span>
+  <% end %>
+  <%= link_to "Manage MFA", rails_auth.mfa_path %>
+</div>
+
+<hr>
+
+<table>
+  <thead>
+    <tr>
+      <th>Device / Browser</th>
+      <th>IP Address</th>
+      <th>Last Active</th>
+      <th>Status</th>
+      <th>Action</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @sessions.each do |session| %>
+      <tr>
+        <td>
+          <strong><%= session.browser || "Unknown Browser" %></strong><br>
+          <small><%= session.os || "Unknown OS" %></small>
+        </td>
+        <td><%= session.ip_address %></td>
+        <td><%= time_ago_in_words(session.last_active_at) %> ago</td>
+        <td>
+          <% if session == current_session %>
+            <strong>Current</strong>
+          <% else %>
+            Active
+          <% end %>
+        </td>
+        <td>
+          <%= button_to "Revoke", rails_auth.revoke_session_path(session), method: :delete, data: { confirm: "Are you sure?" } %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/app/views/rails/auth/sessions/new.html.erb

@@ -0,0 +1,20 @@
+<h2>Sign in</h2>
+
+<%= form_with url: rails_auth.session_path do |f| %>
+  <div>
+    <%= f.label :email %>
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+  </div>
+
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "current-password" %>
+  </div>
+
+  <div>
+    <%= f.submit "Sign in" %>
+    <%= link_to "Forgot password?", rails_auth.new_password_reset_path %>
+  </div>
+<% end %>
+
+<%= link_to "Sign up", rails_auth.new_registration_path %>

data/app/views/rails/auth/user_mailer/confirmation_instructions.html.erb

@@ -0,0 +1,5 @@
+<h1>Welcome <%= @user.email %>!</h1>
+
+<p>You can confirm your account email through the link below:</p>
+
+<p><%= link_to 'Confirm my account', rails_auth.confirmation_url(confirmation_token: @user.confirmation_token) %></p>

data/app/views/rails/auth/user_mailer/password_reset.html.erb

@@ -0,0 +1,8 @@
+<h1>Password Reset</h1>
+
+<p>To reset your password, click the link below:</p>
+
+<p><%= link_to "Reset Password", rails_auth.edit_password_reset_url(@user.reset_token) %></p>
+
+<p>If you did not request a password reset, please ignore this email.</p>
+<p>This link will expire in 2 hours.</p>

data/app/views/rails/auth/user_mailer/password_reset.text.erb

@@ -0,0 +1,8 @@
+Password Reset
+
+To reset your password, visit the following URL:
+
+<%= rails_auth.edit_password_reset_url(@user.reset_token) %>
+
+If you did not request a password reset, please ignore this email.
+This link will expire in 2 hours.

data/app/views/rails/auth/user_mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<h1>Hello <%= @user.email %>!</h1>
+
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', rails_auth.unlock_url(unlock_token: @user.unlock_token) %></p>