rails_jwt_auth 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ce38e7a38fa015a6dbf8b1504e41fd273cf3646d0b2d9053c63476d55b3c729
-  data.tar.gz: 9581d2075661754ed5d43f3a344c8d3fd0da631b9b5c8ea8e51b65fa14bb2c33
+  metadata.gz: 69a475be8d5dab54fa47660b2f4b8679cae86ad9b55c94aaa03c203eed2ea77c
+  data.tar.gz: bfb0807d0ac1ae764ce96da16343e793585d69379cc262be1082cbe67658d166
 SHA512:
-  metadata.gz: f0bdc862727abcdc1db5d1a3e00bd124b7ac15e45d47e483b8487ba46854dfc68edda3a1dcef1d5cda55fb733840f7679f2bbd03996cae3ee4e775d0f12f5a5d
-  data.tar.gz: 58cd478adf9a9145fb33e7f531e8010faa6e68f86243478515333acc9aa5578531f047ca059620ae1ce867cff8fbbf7a03de5ceb81e30ede35b9d8360e5392b6
+  metadata.gz: 65c67921e7cc2a63f219b583716a75b7b1a6fbf8d149f25a7e4163414fc1a9243c3d43b10c028b8020ae6944833cfd649aec5f4bd6f6b3bb71d0852c8832f294
+  data.tar.gz: 13dfac135db5c7bd74c6bb49bfe0bff51196190037e11c500e1fa7ad9531d3b4cabfb1aa5b5d208e962db3b058539eb8ae22db526343042d2f814d9c4b871f10

data/README.md

@@ -78,11 +78,17 @@ You can edit configuration options into `config/initializers/auth_token_auth.rb`
 | confirmations_url               | nil               | Url used to create email link with confirmation token                  |
 | reset_passwords_url             | nil               | Url used to create email link with reset password token                |
 | set_passwords_url               | nil               | Url used to create email link with set password token                  |
-| invitationss_url                | nil               | Url used to create email link with invitation token                    |
+| invitations_url                 | nil               | Url used to create email link with invitation token                    |
+| maximum_attempts                | 3                 | Number of failed login attempts before locking an account              |
+| lock_strategy                   | :none             | Strategy to be used to lock an account: `:none` or `:failed_attempts`  |
+| unlock_strategy                 | :time             | Strategy to use when unlocking accounts: `:time`, `:email` or `:both`  |
+| unlock_in                       | 60.minutes        | Interval to unlock an account if `unlock_strategy` is `:time`          |
+| reset_attempts_in               | 60.minutes        | Interval after which to reset failed attempts counter of an account    |
+| unlock_url                      | nil               | Url used to create email link with unlock token                        |
 
 ## Modules
 
-It's composed of 5 modules:
+It's composed of 6 modules:
 
 | Module        | Description                                                                                                     |
 | ------------- | --------------------------------------------------------------------------------------------------------------- |
@@ -91,6 +97,7 @@ It's composed of 5 modules:
 | Recoverable   | Resets the user password and sends reset instructions                                                           |
 | Trackable     | Tracks sign in timestamps and IP address                                                                        |
 | Invitable     | Allows you to invite an user to your application sending an invitation mail                                     |
+| Lockable      | Locks the user after a specified number of failed sign in attempts                                              |
 
 ## ORMs support
 
@@ -108,6 +115,7 @@ class User < ApplicationRecord
   include RailsJwtAuth::Recoverable
   include RailsJwtAuth::Trackable
   include RailsJwtAuth::Invitable
+  include RailsJwtAuth::Lockable
 
   validates :email, presence: true,
                     uniqueness: true,
@@ -127,6 +135,7 @@ class User
   include RailsJwtAuth::Recoverable
   include RailsJwtAuth::Trackable
   include RailsJwtAuth::Invitable
+  include RailsJwtAuth::Lockable
 
   field :email, type: String
 
@@ -159,7 +168,7 @@ end
     end
     ```
 
-    This helper expect that token has been into **AUTHORIZATION** header.  
+    This helper expect that token has been into **AUTHORIZATION** header.
     Raises `RailsJwtAuth::NotAuthorized` exception when it fails.
 
 -   **authenticate**
@@ -342,6 +351,19 @@ Invitations api is provided by `RailsJwtAuth::InvitationsController`.
 
 Note: To add more fields, see "Custom strong parameters" below.
 
+### Unlocks
+
+Unlock api is provided by `RailsJwtAuth::UnlocksController`.
+
+1.  Unlock user:
+
+```js
+{
+  url: host/unlocks/:unlock_token,
+  method: PUT
+}
+```
+
 ## Customize
 
 RailsJwtAuth offers an easy way to customize certain parts.

data/app/controllers/rails_jwt_auth/sessions_controller.rb

@@ -10,10 +10,10 @@ module RailsJwtAuth
         render_422 session: [{error: :invalid_session}]
       elsif user.respond_to?('confirmed?') && !user.confirmed?
         render_422 session: [{error: :unconfirmed}]
-      elsif user.authenticate(session_create_params[:password])
+      elsif user.authentication?(session_create_params[:password])
         render_session generate_jwt(user), user
       else
-        render_422 session: [{error: :invalid_session}]
+        render_422 session: [user.unauthenticated_error]
       end
     end
 

data/app/controllers/rails_jwt_auth/unlocks_controller.rb

@@ -0,0 +1,14 @@
+module RailsJwtAuth
+  class UnlocksController < ApplicationController
+    include ParamsHelper
+    include RenderHelper
+
+    def update
+      return render_404 unless
+        params[:id] &&
+        (user = RailsJwtAuth.model.where(unlock_token: params[:id]).first)
+
+      user.unlock_access! ? render_204 : render_422(user.errors.details)
+    end
+  end
+end

data/app/mailers/rails_jwt_auth/mailer.rb

@@ -6,10 +6,11 @@ if defined?(ActionMailer)
       raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirmations_url.present?
       @user = user
 
-      url, params = RailsJwtAuth.confirmations_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("confirmation_token=#{@user.confirmation_token}")
-      @confirmations_url = "#{url}?#{params.join('&')}"
+      @confirmations_url = add_param_to_url(
+        RailsJwtAuth.confirmations_url,
+        'confirmation_token',
+        @user.confirmation_token
+      )
 
       subject = I18n.t('rails_jwt_auth.mailer.confirmation_instructions.subject')
       mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: subject)
@@ -25,10 +26,11 @@ if defined?(ActionMailer)
       raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_passwords_url.present?
       @user = user
 
-      url, params = RailsJwtAuth.reset_passwords_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("reset_password_token=#{@user.reset_password_token}")
-      @reset_passwords_url = "#{url}?#{params.join('&')}"
+      @reset_passwords_url = add_param_to_url(
+        RailsJwtAuth.reset_passwords_url,
+        'reset_password_token',
+        @user.reset_password_token
+      )
 
       subject = I18n.t('rails_jwt_auth.mailer.reset_password_instructions.subject')
       mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
@@ -38,10 +40,11 @@ if defined?(ActionMailer)
       raise RailsJwtAuth::NotSetPasswordsUrl unless RailsJwtAuth.set_passwords_url.present?
       @user = user
 
-      url, params = RailsJwtAuth.set_passwords_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("reset_password_token=#{@user.reset_password_token}")
-      @reset_passwords_url = "#{url}?#{params.join('&')}"
+      @reset_passwords_url = add_param_to_url(
+        RailsJwtAuth.set_passwords_url,
+        'reset_password_token',
+        @user.reset_password_token
+      )
 
       subject = I18n.t('rails_jwt_auth.mailer.set_password_instructions.subject')
       mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
@@ -51,13 +54,32 @@ if defined?(ActionMailer)
       raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.invitations_url.present?
       @user = user
 
-      url, params = RailsJwtAuth.invitations_url.split '?'
-      params = params ? params.split('&') : []
-      params.push("invitation_token=#{@user.invitation_token}")
-      @invitations_url = "#{url}?#{params.join('&')}"
+      @invitations_url = add_param_to_url(
+        RailsJwtAuth.invitations_url,
+        'invitation_token',
+        @user.invitation_token
+      )
 
       subject = I18n.t('rails_jwt_auth.mailer.send_invitation.subject')
       mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
     end
+
+    def send_unlock_instructions(user)
+      @user = user
+      subject = I18n.t('rails_jwt_auth.mailer.send_unlock_instructions.subject')
+
+      @unlock_url = add_param_to_url(RailsJwtAuth.unlock_url, 'unlock_token', @user.unlock_token)
+
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
+    end
+
+    protected
+
+    def add_param_to_url(url, param_name, param_value)
+      path, params = url.split '?'
+      params = params ? params.split('&') : []
+      params.push("#{param_name}=#{param_value}")
+      "#{path}?#{params.join('&')}"
+    end
   end
 end

data/app/models/concerns/rails_jwt_auth/authenticatable.rb

@@ -65,6 +65,14 @@ module RailsJwtAuth
       end
     end
 
+    def authentication?(pass)
+      authenticate(pass)
+    end
+
+    def unauthenticated_error
+      {error: :invalid_session}
+    end
+
     module ClassMethods
       def from_token_payload(payload)
         if RailsJwtAuth.simultaneous_sessions > 0

data/app/models/concerns/rails_jwt_auth/lockable.rb

@@ -0,0 +1,115 @@
+module RailsJwtAuth
+  module Lockable
+    BOTH_UNLOCK_STRATEGIES = %i[time email].freeze
+
+    def self.included(base)
+      base.class_eval do
+        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
+          field :failed_attempts,         type: Integer
+          field :unlock_token,            type: String
+          field :first_failed_attempt_at, type: Time
+          field :locked_at,               type: Time
+        end
+      end
+    end
+
+    def lock_access!
+      self.locked_at = Time.now.utc
+      save(validate: false).tap do |result|
+        send_unlock_instructions if result && unlock_strategy_enabled?(:email)
+      end
+    end
+
+    def unlock_access!
+      self.locked_at = nil
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
+      self.unlock_token = nil
+      save(validate: false)
+    end
+
+    def reset_attempts!
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
+      save(validate: false)
+    end
+
+    def authentication?(pass)
+      return super(pass) unless lock_strategy_enabled?(:failed_attempts)
+
+      reset_attempts! if !access_locked? && attempts_expired?
+      unlock_access! if lock_expired?
+
+      if access_locked?
+        false
+      elsif super(pass)
+        unlock_access!
+        self
+      else
+        failed_attempt!
+        lock_access! if attempts_exceeded?
+        false
+      end
+    end
+
+    def unauthenticated_error
+      return super unless lock_strategy_enabled?(:failed_attempts)
+
+      if access_locked?
+        {error: :locked}
+      else
+        {error: :invalid_session, remaining_attempts: remaining_attempts}
+      end
+    end
+
+    protected
+
+    def send_unlock_instructions
+      self.unlock_token = SecureRandom.base58(24)
+      save(validate: false)
+
+      mailer = Mailer.send_unlock_instructions(self)
+      RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+    end
+
+    def access_locked?
+      locked_at && !lock_expired?
+    end
+
+    def lock_expired?
+      if unlock_strategy_enabled?(:time)
+        locked_at && locked_at < RailsJwtAuth.unlock_in.ago
+      else
+        false
+      end
+    end
+
+    def failed_attempt!
+      self.failed_attempts ||= 0
+      self.failed_attempts += 1
+      self.first_failed_attempt_at = Time.now.utc if failed_attempts == 1
+      save(validate: false)
+    end
+
+    def attempts_exceeded?
+      failed_attempts && failed_attempts >= RailsJwtAuth.maximum_attempts
+    end
+
+    def remaining_attempts
+      RailsJwtAuth.maximum_attempts - failed_attempts.to_i
+    end
+
+    def attempts_expired?
+      first_failed_attempt_at && first_failed_attempt_at < RailsJwtAuth.reset_attempts_in.ago
+    end
+
+    def lock_strategy_enabled?(strategy)
+      RailsJwtAuth.lock_strategy == strategy
+    end
+
+    def unlock_strategy_enabled?(strategy)
+      RailsJwtAuth.unlock_strategy == strategy ||
+        (RailsJwtAuth.unlock_strategy == :both && BOTH_UNLOCK_STRATEGIES.include?(strategy))
+    end
+  end
+end

data/app/models/concerns/rails_jwt_auth/recoverable.rb

@@ -27,6 +27,12 @@ module RailsJwtAuth
         return false
       end
 
+      if self.class.ancestors.include?(RailsJwtAuth::Lockable) &&
+         lock_strategy_enabled?(:failed_attempts) && access_locked?
+        errors.add(email_field, :locked)
+        return false
+      end
+
       self.reset_password_token = SecureRandom.base58(24)
       self.reset_password_sent_at = Time.current
       return false unless save

data/app/views/rails_jwt_auth/mailer/send_unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @user[RailsJwtAuth.email_field_name] %>!</p>
+
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', @unlock_url.html_safe %></p>

data/config/locales/en.yml

@@ -11,3 +11,5 @@ en:
         subject: "Someone has sent you an invitation!"
       email_changed:
         subject: "Email changed"
+      send_unlock_instructions:
+        subject: "Unlock instructions"

data/lib/generators/rails_jwt_auth/install_generator.rb

@@ -12,5 +12,6 @@ class RailsJwtAuth::InstallGenerator < Rails::Generators::Base
     route "resources :confirmations, controller: 'rails_jwt_auth/confirmations', only: [:create, :update]"
     route "resources :passwords, controller: 'rails_jwt_auth/passwords', only: [:create, :update]"
     route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:create, :update]"
+    route "resources :unlocks, controller: 'rails_jwt_auth/unlocks', only: %i[update]"
   end
 end

data/lib/generators/templates/initializer.rb

@@ -44,4 +44,22 @@ RailsJwtAuth.setup do |config|
 
   # uses deliver_later to send emails instead of deliver method
   #config.deliver_later = false
+
+  # maximum login attempts before locking an account
+  #config.maximum_attempts = 3
+
+  # strategy to lock an account: :none or :failed_attempts
+  #config.lock_strategy = :failed_attempts
+
+  # strategy to use when unlocking accounts: :time, :email or :both
+  #config.unlock_strategy = :time
+
+  # interval to unlock an account if unlock_strategy is :time
+  #config.unlock_in = 60.minutes
+
+  # interval after which to reset failed attempts counter of an account
+  #config.reset_attempts_in = 60.minutes
+
+  # url used to create email link with unlock token
+  #config.unlock_url = 'http://frontend.com/unlock-account'
 end

data/lib/generators/templates/migration.rb

@@ -24,6 +24,12 @@ class Create<%= RailsJwtAuth.model_name.pluralize %> < ActiveRecord::Migration<%
       # t.datetime :invitation_sent_at
       # t.datetime :invitation_accepted_at
       # t.datetime :invitation_created_at
+
+      ## Lockable
+      # t.integer :failed_attempts
+      # t.string :unlock_token
+      # t.datetime :first_failed_attempt_at
+      # t.datetime :locked_at
     end
   end
 end

data/lib/rails_jwt_auth.rb

@@ -59,6 +59,24 @@ module RailsJwtAuth
   mattr_accessor :deliver_later
   self.deliver_later = false
 
+  mattr_accessor :maximum_attempts
+  self.maximum_attempts = 3
+
+  mattr_accessor :lock_strategy
+  self.lock_strategy = :none
+
+  mattr_accessor :unlock_strategy
+  self.unlock_strategy = :time
+
+  mattr_accessor :unlock_in
+  self.unlock_in = 60.minutes
+
+  mattr_accessor :reset_attempts_in
+  self.unlock_in = 60.minutes
+
+  mattr_accessor :unlock_url
+  self.unlock_url = nil
+
   def self.model
     model_name.constantize
   end

data/lib/rails_jwt_auth/version.rb

@@ -1,3 +1,3 @@
 module RailsJwtAuth
-  VERSION = '1.3.1'
+  VERSION = '1.4.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_jwt_auth
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - rjurado
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-19 00:00:00.000000000 Z
+date: 2019-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -77,17 +77,20 @@ files:
 - app/controllers/rails_jwt_auth/passwords_controller.rb
 - app/controllers/rails_jwt_auth/registrations_controller.rb
 - app/controllers/rails_jwt_auth/sessions_controller.rb
+- app/controllers/rails_jwt_auth/unlocks_controller.rb
 - app/controllers/unauthorized_controller.rb
 - app/mailers/rails_jwt_auth/mailer.rb
 - app/models/concerns/rails_jwt_auth/authenticatable.rb
 - app/models/concerns/rails_jwt_auth/confirmable.rb
 - app/models/concerns/rails_jwt_auth/invitable.rb
+- app/models/concerns/rails_jwt_auth/lockable.rb
 - app/models/concerns/rails_jwt_auth/recoverable.rb
 - app/models/concerns/rails_jwt_auth/trackable.rb
 - app/views/rails_jwt_auth/mailer/confirmation_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/email_changed.html.erb
 - app/views/rails_jwt_auth/mailer/reset_password_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/send_invitation.html.erb
+- app/views/rails_jwt_auth/mailer/send_unlock_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/set_password_instructions.html.erb
 - config/locales/en.yml
 - lib/generators/rails_jwt_auth/install_generator.rb