rails_auth_generator 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 85d77a6bc6b301f548d4b32df46624745643fca4c44549abac11c9ed1649b3c6
-  data.tar.gz: da6497b98e1fb6e88ebd045d7879f4be199242f7ef5339617ef62c69b56f505f
+  metadata.gz: 57cf671f5c6352bcd54a7a4766bc3ae0dc0a515d2eca9df4508f59e2da941dde
+  data.tar.gz: e67935ab3b0c63a1765a4411818d5d945ae8ac6ad9d22f6e32f9af895d7c54ff
 SHA512:
-  metadata.gz: ad1a93631c931470ba58429e00d42148945806ae6bef329097c69128d6858f34232b47ecfefd0f903795028222fa1f5027a79b05a1e7d009cb87876396a2db25
-  data.tar.gz: f11d8ed3bf418bf57574db49f40ff9a3b96a7b80439f272ba23a2596d205dc7fda006599efb7f7c2e6d193c8286676d31673938719844aac7e1836fe8cfe3005
+  metadata.gz: 260738a21ff80dc301f384c446539bb9a98fd882f38db0a000fb46fd7dacba7202f61dc2f7c4ebaf9860b7414b501e2578fbfc825676d003d960fdd9466101d5
+  data.tar.gz: 4b3fc7f835b388f967edcbba74a6ee558a007dfd4ae6fedfea59600bd0885b4175f6b59ab5c2f2ff2e49ad8cd0bd6e0fcbc18b37caafe235be054f9227285a22

data/README.md

@@ -1,43 +1,149 @@
 # RailsAuthGenerator
 
-TODO: Delete this and the text below, and describe your gem
+**RailsAuthGenerator** is a Rails generator that scaffolds a **JWT-based authentication system** with user management, password resets, refresh token rotation, and secure cookie handling. It saves you weeks of setup by providing all the models, controllers, serializers, and mailers you need for a robust, production-ready authentication flow.
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/rails_auth_generator`. To experiment with that code, run `bin/console` for an interactive prompt.
+---
 
-## Installation
+## ✨ Features
 
-TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+- 🔑 **JWT Authentication**
+  - Access tokens (short-lived, default 15 min)
+  - Refresh tokens (stored securely in HttpOnly cookies)
+  - Token rotation + reuse detection
+  - Logout everywhere
+- 👤 **User management**
+  - User model with secure password
+  - Role support (admin, user)
+- ✉️ **Password reset**
+  - Password reset tokens sent via email
+- 🛠️ **Rails Generators**
+  - User model + migrations
+  - Auth controllers (`auth`, `users`, `password_resets`)
+  - Serializers and mailers
+- ⚡ Works with **Rails 6.0+**
 
-Install the gem and add to the application's Gemfile by executing:
+---
 
-```bash
-bundle add UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
-```
+## 📦 Installation
 
-If bundler is not being used to manage dependencies, install the gem by executing:
+Add this line to your application's Gemfile:  
+`gem 'rails_auth_generator', '~> 0.1.0'`  
 
-```bash
-gem install UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
-```
+and then run:  
+`bundle install`  
 
-## Usage
+Or install it manually:  
+`gem install rails_auth_generator`  
 
-TODO: Write usage instructions here
+If you want the latest version from GitHub:  
+`gem 'rails_auth_generator', git: 'https://github.com/Zeyad-Hassan-1/authJWT.git'`
 
-## Development
+---
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+## 🚀 Usage
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+Generate the full authentication system:  
+`rails generate auth`  
 
-## Contributing
+Then run:  
+`bundle install`  
+`rails db:migrate`  
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/rails_auth_generator. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/rails_auth_generator/blob/master/CODE_OF_CONDUCT.md).
+This scaffolds:
+- User model & migrations
+- Controllers for authentication, users, and password resets
+- Mailers for password reset
+- Serializers for user data  
 
-## License
+You can freely customize the generated files to match your app’s requirements.
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+---
 
-## Code of Conduct
+## 🔧 Additional Setup
 
-Everyone interacting in the RailsAuthGenerator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/rails_auth_generator/blob/master/CODE_OF_CONDUCT.md).
+### 1. Enable CORS
+Uncomment the CORS config in `config/initializers/cors.rb` if building an API:
+
+`Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*',
+      headers: :any,
+      methods: [:get, :post, :put, :patch, :delete, :options, :head],
+      credentials: true
+  end
+end`
+
+### 2. Set JWT Secret
+Edit your Rails credentials:  
+`VISUAL="code --wait" bin/rails credentials:edit`  
+
+Add:
+
+`jwt:
+  secret: <your_generated_secret>`
+
+Generate a secret key:  
+`rails secret`  
+
+Replace `<your_generated_secret>` with the generated key.
+
+---
+
+## 📚 API Overview
+
+| Route             | Method | Description |
+|-------------------|--------|-------------|
+| `/signup`         | POST   | Create a new user |
+| `/login`          | POST   | Authenticate user, return JWT + set refresh cookie |
+| `/me`             | GET    | Get current logged-in user |
+| `/refresh`        | POST   | Rotate refresh token + issue new JWT |
+| `/logout`         | DELETE | Revoke refresh token + clear cookie |
+| `/password_resets`| POST   | Request a password reset |
+| `/password_resets` | PUT | Reset password with token |
+
+---
+
+## 🧪 Example Usage
+
+1. Sign up:  
+`curl -X POST http://localhost:3000/signup -H "Content-Type: application/json" -d '{"user": {"email":"test@example.com","password":"secret123"}}'`
+
+2. Login:  
+`curl -X POST http://localhost:3000/login -H "Content-Type: application/json" -d '{"email":"test@example.com","password":"secret123"}'`  
+➡️ Returns `{ "token": "...", "user": {...} }`  
+Refresh token is stored in an **HttpOnly cookie**.
+
+3. Access protected route:  
+`curl -H "Authorization: Bearer <your_token>" http://localhost:3000/me`
+
+4. Refresh token:  
+`curl -X POST http://localhost:3000/refresh`  
+➡️ Returns new access token, rotates refresh cookie.
+
+5. Logout:  
+`curl -X DELETE http://localhost:3000/logout`  
+➡️ Revokes refresh token + clears cookie.
+
+---
+
+## 🛡️ Security Defaults
+
+- Access tokens expire after **15 minutes**  
+- Refresh tokens expire after **7 days**  
+- Refresh tokens are **rotated on every use**  
+- Reused tokens trigger **global logout**  
+
+---
+
+## 🤝 Contributing
+
+Bug reports and pull requests are welcome on GitHub at [https://github.com/Zeyad-Hassan-1/authJWT](https://github.com/Zeyad-Hassan-1/authJWT).  
+
+This project follows a [Code of Conduct](CODE_OF_CONDUCT.md). Please respect it in all interactions.
+
+---
+
+## 📄 License
+
+This gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/README_NEW.md

@@ -1,59 +0,0 @@
-# RailsAuthGenerator
-
-RailsAuthGenerator provides Rails generators for authentication, user management, password resets, and mailers, streamlining the setup of secure user authentication in Rails applications. It helps you quickly scaffold all necessary models, controllers, mailers, and migrations for a robust authentication system.
-
-## Features
-
-- User model and migration generator
-- Authentication controller and password reset controller
-- User serializer for API responses
-- Mailers for sending token to reset password
-- Easy integration with Rails 6.0+
-
-## Installation
-
-Add this line to your application's Gemfile:
-
-```ruby
-bundle add rails_auth_generator
-```
-
-Or install it manually:
-
-```bash
-gem install rails_auth_generator
-```
-
-If you want to use the latest version from GitHub:
-
-```ruby
-gem 'rails_auth_generator', git: 'https://github.com/Zeyad-Hassan-1/authJWT.git'
-```
-
-## Usage
-
-Run the generator to scaffold authentication features:
-
-```bash
-rails generate auth
-```
-
-This will create:
-- User model and migration
-- Authentication controllers (auth, password resets, users)
-- Mailers for sending token to reset password
-- Serializers for user data
-
-You can customize the generated files as needed for your application.
-
-## Contributing
-
-Bug reports and pull requests are welcome on GitHub at [https://github.com/Zeyad-Hassan-1/authJWT](https://github.com/Zeyad-Hassan-1/authJWT). This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](CODE_OF_CONDUCT.md).
-
-## License
-
-The gem is available as open source under the terms of the [MIT License](LICENSE.txt).
-
-## Code of Conduct
-
-Everyone interacting in the RailsAuthGenerator project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](CODE_OF_CONDUCT.md).

data/lib/generators/auth/auth_generator.rb

@@ -2,31 +2,41 @@ class AuthGenerator < Rails::Generators::Base
   include Rails::Generators::Migration
   source_root File.expand_path("templates", __dir__)
 
-  def modify_gemfile
-insert_into_file "Gemfile",  after: /^source ['"].*['"]\n/ do
-  <<~RUBY
-    gem 'bcrypt', '~> 3.1', '>= 3.1.12'
-    gem 'jwt', '~> 2.5'
-    gem 'rack-cors'
-    gem 'active_model_serializers', '~> 0.10.12'
-  RUBY
+def modify_gemfile
+    insert_into_file "Gemfile",  after: /^source ['"].*['"]\n/ do
+    <<~RUBY
+      gem 'bcrypt', '~> 3.1', '>= 3.1.12'
+      gem 'jwt', '~> 2.5'
+      gem 'rack-cors'
+      gem 'active_model_serializers', '~> 0.10.12'
+    RUBY
+    end
 end
 
+def modify_application_rb
+  insert_into_file "config/application.rb", after: "config.api_only = true" do
+    <<~RUBY
+      config.middleware.use ActionDispatch::Cookies
+    RUBY
   end
 
+end
+
   def add_routes
     route <<~RUBY
-    # config/routes.rb
-      post '/login', to: 'auth#login'
-      post '/signup', to: 'users#create'
-      get '/me', to: 'users#me'
-      resources :password_resets, only: [:create] do
-        collection do
-          put '/', to: 'password_resets#update'  # PUT /password_resets
+      # config/routes.rb
+        post '/login', to: 'auth#login'
+        post '/refresh', to: 'auth#refresh'
+        post '/logout', to: 'auth#logout'
+        post '/signup', to: 'users#create'
+        get '/me', to: 'users#me'
+        resources :password_resets, only: [:create] do
+          collection do
+            put '/', to: 'password_resets#update'  # PUT /password_resets
+          end
         end
-      end
-      # Admin routes
-      post '/users/:id/make_admin', to: 'users#make_admin'
+        # Admin routes
+        post '/users/:id/make_admin', to: 'users#make_admin'
     RUBY
   end
 
@@ -36,6 +46,7 @@ end
     template "users_controller.rb", "app/controllers/users_controller.rb"
     template "password_resets_controller.rb", "app/controllers/password_resets_controller.rb"
     template "user.rb", "app/models/user.rb"
+    template "refresh_token.rb", "app/models/refresh_token.rb"
     template "mailers/user_mailer.rb", "app/mailers/user_mailer.rb"
     template "mailers/application_mailer.rb", "app/mailers/application_mailer.rb"
   end
@@ -43,58 +54,64 @@ end
   def modify_application_controller
     inject_into_class "app/controllers/application_controller.rb", "ApplicationController" do
       <<~RUBY
-        before_action :authorized
+      include ActionController::Cookies
+      before_action :authorized
+      SECRET_KEY = Rails.application.credentials.dig(:jwt, :secret)
 
-        def encode_token(payload)
-          # Add admin status to the payload if user is admin
-          payload[:admin] = @user.admin? if @user.is_a?(User)
-          JWT.encode(payload, 'hellomars1211') 
-        end
 
-        def decoded_token
-          header = request.headers['Authorization']
-          if header
-            token = header.split(" ")[1]
-            begin
-              JWT.decode(token, 'hellomars1211', true, algorithm: 'HS256')
-            rescue JWT::DecodeError
-              nil
-            end
-          end
-        end
+      def encode_token(payload, exp = 15.minutes.from_now)
+        # Add admin status to the payload if user is admin
+        payload[:admin] = @user.admin? if @user.is_a?(User)
+        payload[:exp] = exp.to_i
+        JWT.encode(payload, SECRET_KEY) 
+      end
 
-        def current_user 
-          if decoded_token
-            user_id = decoded_token[0]['user_id']
-            @user = User.find_by(id: user_id)
+      def decoded_token
+        header = request.headers['Authorization']
+        if header
+          token = header.split(" ")[1]
+          begin
+            JWT.decode(token, SECRET_KEY, true, algorithm: 'HS256')
+          rescue JWT::DecodeError
+            nil
           end
         end
+      end
 
-        def current_admin
-          current_user && (current_user.admin? || decoded_token[0]['admin'])
+      def current_user 
+        if decoded_token
+          user_id = decoded_token[0]['user_id']
+          @user = User.find_by(id: user_id)
         end
+      end
 
-        def authorized
-          unless !!current_user
-            render json: { message: 'Please log in' }, status: :unauthorized
-          end
-        end
+      def current_admin
+        current_user && (current_user.admin? || decoded_token[0]['admin'])
+      end
 
-        def admin_authorized
-          unless current_admin
-            render json: { message: 'Admin access required' }, status: :forbidden
-          end
+      def authorized
+        unless !!current_user
+          render json: { message: 'Please log in' }, status: :unauthorized
         end
+      end
 
+      def admin_authorized
+        unless current_admin
+          render json: { message: 'Admin access required' }, status: :forbidden
+        end
+      end
       RUBY
     end
   end
 
-  def self.next_migration_number(dirname)
-    Time.now.utc.strftime("%Y%m%d%H%M%S")
-  end
+def self.next_migration_number(dirname)
+  @prev_migration_nr ||= Time.now.utc.strftime("%Y%m%d%H%M%S").to_i
+  @prev_migration_nr += 1
+  @prev_migration_nr.to_s
+end
 
   def copy_migration
     migration_template "migrations/create_user.rb", "db/migrate/create_users.rb"
+    migration_template "migrations/create_refresh_token.rb", "db/migrate/create_refresh_tokens.rb"
   end
 end

data/lib/generators/auth/templates/auth_controller.rb

@@ -1,22 +1,78 @@
+require "digest"
+
 class AuthController < ApplicationController
-  skip_before_action :authorized, only: [:login]
+  skip_before_action :authorized, only: [:login, :refresh, :logout]
   rescue_from ActiveRecord::RecordNotFound, with: :handle_record_not_found
 
-  def login 
-    @user = User.find_by!(username: login_params[:username])
-    if @user.authenticate(login_params[:password])
-      @token = encode_token(user_id: @user.id)
+  def login
+    user = User.find_by!(username: params[:username])
+    if user.authenticate(params[:password])
+      access_token  = encode_token({ user_id: user.id }, 15.minutes.from_now)
+      refresh_raw   = user.generate_refresh_token
+
+      set_refresh_cookie(refresh_raw, 7.days.from_now)
+
       render json: {
-        user: UserSerializer.new(@user),
-        token: @token
-      }, status: :accepted
+        user: UserSerializer.new(user),
+        access_token: access_token
+        # (we're NOT returning refresh in JSON for security)
+      }, status: :ok
     else
-      render json: {message: 'Incorrect password'}, status: :unauthorized
+      render json: { error: "Invalid credentials" }, status: :unauthorized
+    end
+  end
+
+  def refresh
+  raw = cookies.encrypted[:refresh_token] || params[:refresh_token]
+  return render json: { error: "missing refresh token" }, status: :unauthorized if raw.blank?
+
+  digest = Digest::SHA256.hexdigest(raw)
+  rt = RefreshToken.find_by(token_digest: digest)
+
+  if rt.nil? || rt.revoked_at.present? || rt.expires_at.past?
+    rt&.user&.revoke_all_refresh_tokens!
+    cookies.delete(:refresh_token)
+    return render json: { error: "Invalid or reused refresh token. Logged out everywhere." }, status: :unauthorized
+  end
+
+  # Issue new access + refresh token
+  new_access_token  = encode_token({ user_id: rt.user_id }, 15.minutes.from_now)
+  new_refresh_token = rt.user.generate_refresh_token
+
+  # revoke the old token
+  rt.update!(revoked_at: Time.current)
+
+  # 🔑 store new refresh token in HttpOnly cookie
+  set_refresh_cookie(new_refresh_token, 7.days.from_now)
+
+  render json: { access_token: new_access_token }, status: :ok
+end
+
+
+
+  def logout
+    raw = cookies.encrypted[:refresh_token] || params[:refresh_token]
+    if raw.present?
+      digest = Digest::SHA256.hexdigest(raw)
+      RefreshToken.find_by(token_digest: digest)&.destroy
+      cookies.delete(:refresh_token)
     end
+    render json: { message: "Logged out" }, status: :ok
   end
 
+
   private 
 
+    def set_refresh_cookie(raw_token, expires_at)
+    cookies.encrypted[:refresh_token] = {
+      value:     raw_token,
+      httponly:  true,
+      secure:    Rails.env.production?,
+      same_site: :lax,
+      expires:   expires_at
+    }
+  end
+
   def login_params 
     params.permit(:username, :password)
   end
@@ -24,4 +80,5 @@ class AuthController < ApplicationController
   def handle_record_not_found(e)
     render json: { message: "User doesn't exist" }, status: :unauthorized
   end
+
 end

data/lib/generators/auth/templates/migrations/create_refresh_token.rb

@@ -0,0 +1,14 @@
+class CreateRefreshTokens < ActiveRecord::Migration[8.0]
+  def change
+    create_table :refresh_tokens do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string     :token_digest, null: false
+      t.datetime   :expires_at,   null: false
+      t.datetime   :revoked_at
+
+      t.timestamps
+    end
+
+    add_index :refresh_tokens, :token_digest, unique: true
+  end
+end

data/lib/generators/auth/templates/refresh_token.rb

@@ -0,0 +1,9 @@
+class RefreshToken < ApplicationRecord
+  belongs_to :user
+  scope :active, -> { where("expires_at > ?", Time.current) }
+  validates :token_digest, presence: true, uniqueness: true
+
+  def expired?
+    Time.current >= expires_at
+  end
+end

data/lib/generators/auth/templates/user.rb

@@ -1,7 +1,25 @@
+require "digest"
+
 class User < ApplicationRecord
     has_secure_password
+    has_many :refresh_tokens, dependent: :destroy
     validates :username, uniqueness: true
-    # validates :email, presence: true, uniqueness: true
+
+    # returns the RAW token (client uses this), stores only SHA256 digest
+    def generate_refresh_token
+        raw   = SecureRandom.hex(64)
+        digest = Digest::SHA256.hexdigest(raw)
+        refresh_tokens.create!(
+        token_digest: digest,
+        expires_at: 7.days.from_now
+        )
+        raw
+    end
+
+    # revoke all tokens for this user
+    def revoke_all_refresh_tokens!
+        refresh_tokens.update_all(revoked_at: Time.current)
+    end
 
     def generate_password_reset_token!
         self.reset_token = SecureRandom.urlsafe_base64

data/lib/generators/auth/templates/users_controller.rb

@@ -26,7 +26,7 @@ class UsersController < ApplicationController
   private
 
     def user_params 
-        params.permit(:username, :password, :bio)
+        params.permit(:username, :password, :bio, :email)
     end
 
   def handle_invalid_record(e)

data/lib/rails_auth_generator/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsAuthGenerator
-  VERSION = "0.1.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_auth_generator
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Zeyad Hassan
@@ -49,8 +49,10 @@ files:
 - lib/generators/auth/templates/auth_controller.rb
 - lib/generators/auth/templates/mailers/application_mailer.rb
 - lib/generators/auth/templates/mailers/user_mailer.rb
+- lib/generators/auth/templates/migrations/create_refresh_token.rb
 - lib/generators/auth/templates/migrations/create_user.rb
 - lib/generators/auth/templates/password_resets_controller.rb
+- lib/generators/auth/templates/refresh_token.rb
 - lib/generators/auth/templates/user.rb
 - lib/generators/auth/templates/user_serializer.rb
 - lib/generators/auth/templates/users_controller.rb