rails_jwt_auth 1.3.1 → 1.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ce38e7a38fa015a6dbf8b1504e41fd273cf3646d0b2d9053c63476d55b3c729
-  data.tar.gz: 9581d2075661754ed5d43f3a344c8d3fd0da631b9b5c8ea8e51b65fa14bb2c33
+  metadata.gz: fe3b51e7a2d8f1f7f8debef824a18683878451b1623b824e4b87f7ca8eef3f97
+  data.tar.gz: 7f2df300a20ecd34567dc76a1c8f03bd0abe89416056d048374ee9c6d1f786b6
 SHA512:
-  metadata.gz: f0bdc862727abcdc1db5d1a3e00bd124b7ac15e45d47e483b8487ba46854dfc68edda3a1dcef1d5cda55fb733840f7679f2bbd03996cae3ee4e775d0f12f5a5d
-  data.tar.gz: 58cd478adf9a9145fb33e7f531e8010faa6e68f86243478515333acc9aa5578531f047ca059620ae1ce867cff8fbbf7a03de5ceb81e30ede35b9d8360e5392b6
+  metadata.gz: 2262fed0d629d5ce892c39e6b3285e510e5817802e38c17375cd16c20ee9f757cc96cb82a0b33e662a968386ffb3674c60e21a538693834251fc9c25f62630c9
+  data.tar.gz: '0228cbd71bc2cdf9e77a0c7ec9bd58593c9b9540eaef6e169e779fc7f0499668862e4b8e1b13de0d3e96a1f854ebcffd4d05bd6af9e17f93ad2c34877334a427'

data/README.md

@@ -1,6 +1,6 @@
 # RailsJwtAuth
 
-[![Gem Version](https://badge.fury.io/rb/rails_jwt_auth.svg)](https://badge.fury.io/rb/rails_jwt_auth)
+![Gem Version](https://badge.fury.io/rb/rails_jwt_auth.svg)
 ![Build Status](https://travis-ci.org/rjurado01/rails_jwt_auth.svg?branch=master)
 
 Rails-API authentication solution based on JWT and inspired by Devise.
@@ -59,7 +59,7 @@ rails g rails_jwt_auth:migrate
 
 ## Configuration
 
-You can edit configuration options into `config/initializers/auth_token_auth.rb` file created by generator.
+You can edit configuration options into `config/initializers/rails_jwt_auth.rb` file created by generator.
 
 | Option                          | Default value     | Description                                                            |
 | ------------------------------- | ----------------- | ---------------------------------------------------------------------- |
@@ -78,11 +78,17 @@ You can edit configuration options into `config/initializers/auth_token_auth.rb`
 | confirmations_url               | nil               | Url used to create email link with confirmation token                  |
 | reset_passwords_url             | nil               | Url used to create email link with reset password token                |
 | set_passwords_url               | nil               | Url used to create email link with set password token                  |
-| invitationss_url                | nil               | Url used to create email link with invitation token                    |
+| invitations_url                 | nil               | Url used to create email link with invitation token                    |
+| maximum_attempts                | 3                 | Number of failed login attempts before locking an account              |
+| lock_strategy                   | :none             | Strategy to be used to lock an account: `:none` or `:failed_attempts`  |
+| unlock_strategy                 | :time             | Strategy to use when unlocking accounts: `:time`, `:email` or `:both`  |
+| unlock_in                       | 60.minutes        | Interval to unlock an account if `unlock_strategy` is `:time`          |
+| reset_attempts_in               | 60.minutes        | Interval after which to reset failed attempts counter of an account    |
+| unlock_url                      | nil               | Url used to create email link with unlock token                        |
 
 ## Modules
 
-It's composed of 5 modules:
+It's composed of 6 modules:
 
 | Module        | Description                                                                                                     |
 | ------------- | --------------------------------------------------------------------------------------------------------------- |
@@ -91,6 +97,7 @@ It's composed of 5 modules:
 | Recoverable   | Resets the user password and sends reset instructions                                                           |
 | Trackable     | Tracks sign in timestamps and IP address                                                                        |
 | Invitable     | Allows you to invite an user to your application sending an invitation mail                                     |
+| Lockable      | Locks the user after a specified number of failed sign in attempts                                              |
 
 ## ORMs support
 
@@ -108,6 +115,7 @@ class User < ApplicationRecord
   include RailsJwtAuth::Recoverable
   include RailsJwtAuth::Trackable
   include RailsJwtAuth::Invitable
+  include RailsJwtAuth::Lockable
 
   validates :email, presence: true,
                     uniqueness: true,
@@ -127,6 +135,7 @@ class User
   include RailsJwtAuth::Recoverable
   include RailsJwtAuth::Trackable
   include RailsJwtAuth::Invitable
+  include RailsJwtAuth::Lockable
 
   field :email, type: String
 
@@ -159,7 +168,7 @@ end
     end
     ```
 
-    This helper expect that token has been into **AUTHORIZATION** header.  
+    This helper expect that token has been into **AUTHORIZATION** header.
     Raises `RailsJwtAuth::NotAuthorized` exception when it fails.
 
 -   **authenticate**
@@ -178,12 +187,31 @@ end
 
     Return current signed-in user.
 
+-   **jwt_payload**
+
+    Return current jwt payload.
+
 -   **signed_in?**
 
     Verify if a user is signed in.
 
 ## Default Controllers API
 
+|       Prefix | Verb   | URI Pattern                  | Controller#Action                   |
+| ------------ | ------ | ---------------------------- | ----------------------------------- |
+|      session | DELETE | /session(.:format)           | rails_jwt_auth/sessions#destroy     |
+|              | POST   | /session(.:format)           | rails_jwt_auth/sessions#create      |
+| registration | POST   | /registration(.:format)      | rails_jwt_auth/registrations#create |
+|confirmations | POST   | /confirmations(.:format)     | rails_jwt_auth/confirmations#create |
+| confirmation | PATCH  | /confirmations/:id(.:format) | rails_jwt_auth/confirmations#update |
+|              | PUT    | /confirmations/:id(.:format) | rails_jwt_auth/confirmations#update |
+|    passwords | POST   | /passwords(.:format)         | rails_jwt_auth/passwords#create     |
+|     password | PATCH  | /passwords/:id(.:format)     | rails_jwt_auth/passwords#update     |
+|              | PUT    | /passwords/:id(.:format)     | rails_jwt_auth/passwords#update     |
+|  invitations | POST   | /invitations(.:format)       | rails_jwt_auth/invitations#create   |
+|   invitation | PATCH  | /invitations/:id(.:format)   | rails_jwt_auth/invitations#update   |
+|              | PUT    | /invitations/:id(.:format)   | rails_jwt_auth/invitations#update   |
+
 ### Session
 
 Session api is defined by `RailsJwtAuth::SessionsController`.
@@ -196,8 +224,8 @@ Session api is defined by `RailsJwtAuth::SessionsController`.
   method: POST,
   data: {
     session: {
-      email: "user@email.com",
-      password: "12345678"
+      email: 'user@email.com',
+      password: '12345678'
     }
   }
 }
@@ -225,36 +253,26 @@ Registration api is defined by `RailsJwtAuth::RegistrationsController`.
   method: POST,
   data: {
     user: {
-      email: "user@email.com",
-      password: "12345678"
+      email: 'user@email.com',
+      password: '12345678'
     }
   }
 }
 ```
 
-2.  Delete user:
-
-```js
-{
-  url: host/registration,
-  method: DELETE,
-  headers: { 'Authorization': 'Bearer auth_token'}
-}
-```
-
 ### Confirmation
 
 Confirmation api is defined by `RailsJwtAuth::ConfirmationsController`.
 
+It is necessary to set a value for `confirmations_url` option into `config/initializers/rails_jwt_auth.rb`.
+
 1.  Confirm user:
 
 ```js
 {
-  url: host/confirmation,
+  url: host/confirmations/:token,
   method: PUT
-  data: {
-    confirmation_token: "token"
-  }
+  data: {}
 }
 ```
 
@@ -262,11 +280,11 @@ Confirmation api is defined by `RailsJwtAuth::ConfirmationsController`.
 
 ```js
 {
-  url: host/confirmation,
+  url: host/confirmations,
   method: POST,
   data: {
     confirmation: {
-      email: "user@example.com"
+      email: 'user@example.com'
     }
   }
 }
@@ -280,11 +298,11 @@ Password api is defined by `RailsJwtAuth::PasswordsController`.
 
 ```js
 {
-  url: host/password,
+  url: host/passwords,
   method: POST,
   data: {
     password: {
-      email: "user@example.com"
+      email: 'user@example.com'
     }
   }
 }
@@ -294,10 +312,9 @@ Password api is defined by `RailsJwtAuth::PasswordsController`.
 
 ```js
 {
-  url: host/password,
+  url: host/passwords/:token,
   method: PUT,
   data: {
-    reset_password_token: "token",
     password: {
       password: '1234',
       password_confirmation: '1234'
@@ -318,7 +335,7 @@ Invitations api is provided by `RailsJwtAuth::InvitationsController`.
   method: POST,
   data: {
     invitation: {
-      email: "user@example.com",
+      email: 'user@example.com',
       // More fields of your user
     }
   }
@@ -342,6 +359,20 @@ Invitations api is provided by `RailsJwtAuth::InvitationsController`.
 
 Note: To add more fields, see "Custom strong parameters" below.
 
+### Unlocks
+
+Unlock api is provided by `RailsJwtAuth::UnlocksController`.
+
+1.  Unlock user:
+
+```js
+{
+  url: host/unlocks/:unlock_token,
+  method: PUT,
+  data: {}
+}
+```
+
 ## Customize
 
 RailsJwtAuth offers an easy way to customize certain parts.
@@ -414,7 +445,10 @@ class CurrentUserController < ApplicationController
 
   def update
     if update_params[:password]
-      current_user.update_with_password(update_params)
+      # update password and remove other sessions tokens
+      current_user.update_with_password(
+        update_params.merge(auth_tokens: [jwt_payload['auth_token']])
+      )
     else
       current_user.update_attributes(update_params)
     end
@@ -459,7 +493,7 @@ require 'rails_jwt_auth/spec_helpers'
 ...
 RSpec.configure do |config|
   ...
-  config.include RailsJwtAuth::SpecHelpers, :type => :controller
+  config.include RailsJwtAuth::SpecHelpers, type: :controller
 end
 ```
 
@@ -467,11 +501,11 @@ And then we can just call sign_in(user) to sign in as a user:
 
 ```ruby
 describe ExampleController
-  it "blocks unauthenticated access" do
-    expect { get :index }.to raise_error(RailsJwtAuth::Errors::NotAuthorized)
+  it 'blocks unauthenticated access' do
+    expect { get :index }.to raise_error(RailsJwtAuth::NotAuthorized)
   end
 
-  it "allows authenticated access" do
+  it 'allows authenticated access' do
     sign_in user
     get :index
     expect(response).to be_success

data/app/controllers/concerns/rails_jwt_auth/authenticable_helper.rb

@@ -6,18 +6,22 @@ module RailsJwtAuth
       @current_user
     end
 
+    def jwt_payload
+      @jwt_payload
+    end
+
     def signed_in?
       !current_user.nil?
     end
 
     def authenticate!
       begin
-        payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
+        @jwt_payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
       rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
         unauthorize!
       end
 
-      if !@current_user = RailsJwtAuth.model.from_token_payload(payload)
+      if !@current_user = RailsJwtAuth.model.from_token_payload(@jwt_payload)
         unauthorize!
       elsif @current_user.respond_to? :update_tracked_fields!
         @current_user.update_tracked_fields!(request)
@@ -26,8 +30,8 @@ module RailsJwtAuth
 
     def authenticate
       begin
-        payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
-        @current_user = RailsJwtAuth.model.from_token_payload(payload)
+        @jwt_payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
+        @current_user = RailsJwtAuth.model.from_token_payload(@jwt_payload)
       rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
         @current_user = nil
       end

data/app/controllers/concerns/rails_jwt_auth/params_helper.rb

@@ -9,7 +9,7 @@ module RailsJwtAuth
     end
 
     def confirmation_create_params
-      params.require(:confirmation).permit(:email)
+      params.require(:confirmation).permit(RailsJwtAuth.email_field_name)
     end
 
     def session_create_params
@@ -17,7 +17,7 @@ module RailsJwtAuth
     end
 
     def password_create_params
-      params.require(:password).permit(:email)
+      params.require(:password).permit(RailsJwtAuth.email_field_name)
     end
 
     def password_update_params
@@ -25,7 +25,7 @@ module RailsJwtAuth
     end
 
     def invitation_create_params
-      params.require(:invitation).permit(:email)
+      params.require(:invitation).permit(RailsJwtAuth.email_field_name)
     end
 
     def invitation_update_params

data/app/controllers/rails_jwt_auth/confirmations_controller.rb

@@ -4,7 +4,10 @@ module RailsJwtAuth
     include RenderHelper
 
     def create
-      user = RailsJwtAuth.model.where(email: confirmation_create_params[:email]).first
+      user = RailsJwtAuth.model.where(
+        email: confirmation_create_params[RailsJwtAuth.email_field_name]
+      ).first
+
       return render_422(email: [{error: :not_found}]) unless user
 
       user.send_confirmation_instructions ? render_204 : render_422(user.errors.details)

data/app/controllers/rails_jwt_auth/invitations_controller.rb

@@ -4,6 +4,7 @@ module RailsJwtAuth
     include RenderHelper
 
     def create
+      authenticate!
       user = RailsJwtAuth.model.invite!(invitation_create_params)
       user.errors.empty? ? render_204 : render_422(user.errors.details)
     end

data/app/controllers/rails_jwt_auth/passwords_controller.rb

@@ -4,8 +4,17 @@ module RailsJwtAuth
     include RenderHelper
 
     def create
-      user = RailsJwtAuth.model.where(email: password_create_params[:email].to_s.downcase).first
-      return render_422(email: [{error: :not_found}]) unless user
+      email_field = RailsJwtAuth.email_field_name
+
+      if password_create_params[email_field].blank?
+        return render_422(email_field => [{error: :blank}])
+      end
+
+      user = RailsJwtAuth.model.where(
+        email_field => password_create_params[email_field].to_s.strip.downcase
+      ).first
+
+      return render_422(email_field => [{error: :not_found}]) unless user
 
       user.send_reset_password_instructions ? render_204 : render_422(user.errors.details)
     end

data/app/controllers/rails_jwt_auth/sessions_controller.rb

@@ -10,10 +10,10 @@ module RailsJwtAuth
         render_422 session: [{error: :invalid_session}]
       elsif user.respond_to?('confirmed?') && !user.confirmed?
         render_422 session: [{error: :unconfirmed}]
-      elsif user.authenticate(session_create_params[:password])
+      elsif user.authentication?(session_create_params[:password])
         render_session generate_jwt(user), user
       else
-        render_422 session: [{error: :invalid_session}]
+        render_422 session: [user.unauthenticated_error]
       end
     end
 

data/app/controllers/rails_jwt_auth/unlocks_controller.rb

@@ -0,0 +1,14 @@
+module RailsJwtAuth
+  class UnlocksController < ApplicationController
+    include ParamsHelper
+    include RenderHelper
+
+    def update
+      return render_404 unless
+        params[:id] &&
+        (user = RailsJwtAuth.model.where(unlock_token: params[:id]).first)
+
+      user.unlock_access! ? render_204 : render_422(user.errors.details)
+    end
+  end
+end

data/app/mailers/rails_jwt_auth/mailer.rb

@@ -2,62 +2,76 @@ if defined?(ActionMailer)
   class RailsJwtAuth::Mailer < ApplicationMailer
     default from: RailsJwtAuth.mailer_sender
 
-    def confirmation_instructions(user)
+    before_action do
+      @user = RailsJwtAuth.model.find(params[:user_id])
+      @subject = I18n.t("rails_jwt_auth.mailer.#{action_name}.subject")
+    end
+
+    def confirmation_instructions
       raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirmations_url.present?
-      @user = user
 
-      url, params = RailsJwtAuth.confirmations_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("confirmation_token=#{@user.confirmation_token}")
-      @confirmations_url = "#{url}?#{params.join('&')}"
+      @confirmations_url = add_param_to_url(
+        RailsJwtAuth.confirmations_url,
+        'confirmation_token',
+        @user.confirmation_token
+      )
 
-      subject = I18n.t('rails_jwt_auth.mailer.confirmation_instructions.subject')
-      mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: subject)
+      mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: @subject)
     end
 
-    def email_changed(user)
-      @user = user
-      subject = I18n.t('rails_jwt_auth.mailer.email_changed.subject')
-      mail(to: @user[RailsJwtAuth.email_field_name!], subject: subject)
+    def email_changed
+      mail(to: @user[RailsJwtAuth.email_field_name!], subject: @subject)
     end
 
-    def reset_password_instructions(user)
+    def reset_password_instructions
       raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_passwords_url.present?
-      @user = user
 
-      url, params = RailsJwtAuth.reset_passwords_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("reset_password_token=#{@user.reset_password_token}")
-      @reset_passwords_url = "#{url}?#{params.join('&')}"
+      @reset_passwords_url = add_param_to_url(
+        RailsJwtAuth.reset_passwords_url,
+        'reset_password_token',
+        @user.reset_password_token
+      )
 
-      subject = I18n.t('rails_jwt_auth.mailer.reset_password_instructions.subject')
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
     end
 
-    def set_password_instructions(user)
+    def set_password_instructions
       raise RailsJwtAuth::NotSetPasswordsUrl unless RailsJwtAuth.set_passwords_url.present?
-      @user = user
 
-      url, params = RailsJwtAuth.set_passwords_url.split('?')
-      params = params ? params.split('&') : []
-      params.push("reset_password_token=#{@user.reset_password_token}")
-      @reset_passwords_url = "#{url}?#{params.join('&')}"
+      @reset_passwords_url = add_param_to_url(
+        RailsJwtAuth.set_passwords_url,
+        'reset_password_token',
+        @user.reset_password_token
+      )
 
-      subject = I18n.t('rails_jwt_auth.mailer.set_password_instructions.subject')
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
     end
 
-    def send_invitation(user)
+    def send_invitation
       raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.invitations_url.present?
-      @user = user
 
-      url, params = RailsJwtAuth.invitations_url.split '?'
-      params = params ? params.split('&') : []
-      params.push("invitation_token=#{@user.invitation_token}")
-      @invitations_url = "#{url}?#{params.join('&')}"
+      @invitations_url = add_param_to_url(
+        RailsJwtAuth.invitations_url,
+        'invitation_token',
+        @user.invitation_token
+      )
 
-      subject = I18n.t('rails_jwt_auth.mailer.send_invitation.subject')
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+    end
+
+    def send_unlock_instructions
+      @unlock_url = add_param_to_url(RailsJwtAuth.unlock_url, 'unlock_token', @user.unlock_token)
+
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+    end
+
+    protected
+
+    def add_param_to_url(url, param_name, param_value)
+      path, params = url.split '?'
+      params = params ? params.split('&') : []
+      params.push("#{param_name}=#{param_value}")
+      "#{path}?#{params.join('&')}"
     end
   end
 end

data/app/models/concerns/rails_jwt_auth/authenticatable.rb

@@ -46,8 +46,10 @@ module RailsJwtAuth
                                  'invalid'
                                end
 
-      # abort reset password if exists to allow save
-      self.reset_password_token = self.reset_password_sent_at = nil if reset_password_token
+      # if recoberable module is enabled ensure clean recovery to allow save
+      if self.respond_to? :reset_password_token
+        self.reset_password_token = self.reset_password_sent_at = nil
+      end
 
       assign_attributes(params)
       valid? # validates first other fields
@@ -65,6 +67,14 @@ module RailsJwtAuth
       end
     end
 
+    def authentication?(pass)
+      authenticate(pass)
+    end
+
+    def unauthenticated_error
+      {error: :invalid_session}
+    end
+
     module ClassMethods
       def from_token_payload(payload)
         if RailsJwtAuth.simultaneous_sessions > 0

data/app/models/concerns/rails_jwt_auth/confirmable.rb

@@ -33,13 +33,19 @@ module RailsJwtAuth
 
             self.confirmation_token = SecureRandom.base58(24)
             self.confirmation_sent_at = Time.current
+          end
+        end
 
-            mailer = Mailer.confirmation_instructions(self)
-            RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
-
-            if RailsJwtAuth.send_email_changed_notification
-              mailer = Mailer.email_changed(self)
-              RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+        if defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
+          after_commit  do
+            if unconfirmed_email && saved_change_to_unconfirmed_email?
+              deliver_email_changed_emails
+            end
+          end
+        elsif defined?(Mongoid) && ancestors.include?(Mongoid::Document)
+          after_update do
+            if unconfirmed_email && unconfirmed_email_changed?
+              deliver_email_changed_emails
             end
           end
         end
@@ -58,8 +64,7 @@ module RailsJwtAuth
       self.confirmation_sent_at = Time.current
       return false unless save
 
-      mailer = Mailer.confirmation_instructions(self)
-      RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+      RailsJwtAuth.send_email(:confirmation_instructions, self)
       true
     end
 
@@ -72,9 +77,15 @@ module RailsJwtAuth
       self.confirmation_token = nil
 
       if unconfirmed_email
-        self[RailsJwtAuth.email_field_name!] = unconfirmed_email
-        self.email_confirmation = unconfirmed_email if respond_to?(:email_confirmation)
+        email_field = RailsJwtAuth.email_field_name!
+
+        self[email_field] = unconfirmed_email
         self.unconfirmed_email = nil
+
+        # supports email confirmation attr_accessor validation
+        if respond_to?("#{email_field}_confirmation")
+          instance_variable_set("@#{email_field}_confirmation", self[email_field])
+        end
       end
 
       save
@@ -89,6 +100,7 @@ module RailsJwtAuth
 
     def validate_confirmation
       return true unless confirmed_at
+
       email_field = RailsJwtAuth.email_field_name!
 
       if confirmed_at_was && !public_send("#{email_field}_changed?")
@@ -98,5 +110,15 @@ module RailsJwtAuth
         errors.add(:confirmation_token, :expired)
       end
     end
+
+    def deliver_email_changed_emails
+      # send confirmation to new email
+      RailsJwtAuth.send_email(:confirmation_instructions, self)
+
+      # send notify to old email
+      if RailsJwtAuth.send_email_changed_notification
+        RailsJwtAuth.send_email(:email_changed, self)
+      end
+    end
   end
 end

data/app/models/concerns/rails_jwt_auth/invitable.rb

@@ -112,9 +112,8 @@ module RailsJwtAuth
     end
 
     def send_invitation_mail
-      RailsJwtAuth.email_field_name! # ensure email field es valid
-      mailer = Mailer.send_invitation(self)
-      RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+      RailsJwtAuth.email_field_name! # ensure email field is valid
+      RailsJwtAuth.send_email(:send_invitation, self)
     end
 
     def invitation_period_valid?

data/app/models/concerns/rails_jwt_auth/lockable.rb

@@ -0,0 +1,114 @@
+module RailsJwtAuth
+  module Lockable
+    BOTH_UNLOCK_STRATEGIES = %i[time email].freeze
+
+    def self.included(base)
+      base.class_eval do
+        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
+          field :failed_attempts,         type: Integer
+          field :unlock_token,            type: String
+          field :first_failed_attempt_at, type: Time
+          field :locked_at,               type: Time
+        end
+      end
+    end
+
+    def lock_access!
+      self.locked_at = Time.now.utc
+      save(validate: false).tap do |result|
+        send_unlock_instructions if result && unlock_strategy_enabled?(:email)
+      end
+    end
+
+    def unlock_access!
+      self.locked_at = nil
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
+      self.unlock_token = nil
+      save(validate: false)
+    end
+
+    def reset_attempts!
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
+      save(validate: false)
+    end
+
+    def authentication?(pass)
+      return super(pass) unless lock_strategy_enabled?(:failed_attempts)
+
+      reset_attempts! if !access_locked? && attempts_expired?
+      unlock_access! if lock_expired?
+
+      if access_locked?
+        false
+      elsif super(pass)
+        unlock_access!
+        self
+      else
+        failed_attempt!
+        lock_access! if attempts_exceeded?
+        false
+      end
+    end
+
+    def unauthenticated_error
+      return super unless lock_strategy_enabled?(:failed_attempts)
+
+      if access_locked?
+        {error: :locked}
+      else
+        {error: :invalid_session, remaining_attempts: remaining_attempts}
+      end
+    end
+
+    protected
+
+    def send_unlock_instructions
+      self.unlock_token = SecureRandom.base58(24)
+      save(validate: false)
+
+      RailsJwtAuth.send_email(:send_unlock_instructions, self)
+    end
+
+    def access_locked?
+      locked_at && !lock_expired?
+    end
+
+    def lock_expired?
+      if unlock_strategy_enabled?(:time)
+        locked_at && locked_at < RailsJwtAuth.unlock_in.ago
+      else
+        false
+      end
+    end
+
+    def failed_attempt!
+      self.failed_attempts ||= 0
+      self.failed_attempts += 1
+      self.first_failed_attempt_at = Time.now.utc if failed_attempts == 1
+      save(validate: false)
+    end
+
+    def attempts_exceeded?
+      failed_attempts && failed_attempts >= RailsJwtAuth.maximum_attempts
+    end
+
+    def remaining_attempts
+      RailsJwtAuth.maximum_attempts - failed_attempts.to_i
+    end
+
+    def attempts_expired?
+      first_failed_attempt_at && first_failed_attempt_at < RailsJwtAuth.reset_attempts_in.ago
+    end
+
+    def lock_strategy_enabled?(strategy)
+      RailsJwtAuth.lock_strategy == strategy
+    end
+
+    def unlock_strategy_enabled?(strategy)
+      RailsJwtAuth.unlock_strategy == strategy ||
+        (RailsJwtAuth.unlock_strategy == :both && BOTH_UNLOCK_STRATEGIES.include?(strategy))
+    end
+  end
+end

data/app/models/concerns/rails_jwt_auth/recoverable.rb

@@ -14,7 +14,10 @@ module RailsJwtAuth
         validate :validate_reset_password_token, if: :password_digest_changed?
 
         before_update do
-          self.reset_password_token = nil if password_digest_changed? && reset_password_token
+          if password_digest_changed? && reset_password_token
+            self.reset_password_token = nil
+            self.auth_tokens = []
+          end
         end
       end
     end
@@ -27,12 +30,17 @@ module RailsJwtAuth
         return false
       end
 
+      if self.class.ancestors.include?(RailsJwtAuth::Lockable) &&
+         lock_strategy_enabled?(:failed_attempts) && access_locked?
+        errors.add(email_field, :locked)
+        return false
+      end
+
       self.reset_password_token = SecureRandom.base58(24)
       self.reset_password_sent_at = Time.current
       return false unless save
 
-      mailer = Mailer.reset_password_instructions(self)
-      RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+      RailsJwtAuth.send_email(:reset_password_instructions, self)
     end
 
     def set_and_send_password_instructions
@@ -47,8 +55,7 @@ module RailsJwtAuth
       self.reset_password_sent_at = Time.current
       return false unless save
 
-      mailer = Mailer.set_password_instructions(self)
-      RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+      RailsJwtAuth.send_email(:set_password_instructions, self)
       true
     end
 

data/app/views/rails_jwt_auth/mailer/send_unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @user[RailsJwtAuth.email_field_name] %>!</p>
+
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', @unlock_url.html_safe %></p>

data/config/locales/en.yml

@@ -11,3 +11,5 @@ en:
         subject: "Someone has sent you an invitation!"
       email_changed:
         subject: "Email changed"
+      send_unlock_instructions:
+        subject: "Unlock instructions"

data/lib/generators/rails_jwt_auth/install_generator.rb

@@ -6,11 +6,12 @@ class RailsJwtAuth::InstallGenerator < Rails::Generators::Base
   end
 
   def create_routes
-    route "resources :session, controller: 'rails_jwt_auth/sessions', only: [:create, :destroy]"
-    route "resources :registration, controller: 'rails_jwt_auth/registrations', only: [:create, :update, :destroy]"
+    route "resource :session, controller: 'rails_jwt_auth/sessions', only: [:create, :destroy]"
+    route "resource :registration, controller: 'rails_jwt_auth/registrations', only: [:create]"
 
     route "resources :confirmations, controller: 'rails_jwt_auth/confirmations', only: [:create, :update]"
     route "resources :passwords, controller: 'rails_jwt_auth/passwords', only: [:create, :update]"
     route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:create, :update]"
+    route "resources :unlocks, controller: 'rails_jwt_auth/unlocks', only: %i[update]"
   end
 end

data/lib/generators/templates/initializer.rb

@@ -44,4 +44,22 @@ RailsJwtAuth.setup do |config|
 
   # uses deliver_later to send emails instead of deliver method
   #config.deliver_later = false
+
+  # maximum login attempts before locking an account
+  #config.maximum_attempts = 3
+
+  # strategy to lock an account: :none or :failed_attempts
+  #config.lock_strategy = :failed_attempts
+
+  # strategy to use when unlocking accounts: :time, :email or :both
+  #config.unlock_strategy = :time
+
+  # interval to unlock an account if unlock_strategy is :time
+  #config.unlock_in = 60.minutes
+
+  # interval after which to reset failed attempts counter of an account
+  #config.reset_attempts_in = 60.minutes
+
+  # url used to create email link with unlock token
+  #config.unlock_url = 'http://frontend.com/unlock-account'
 end

data/lib/generators/templates/migration.rb

@@ -24,6 +24,12 @@ class Create<%= RailsJwtAuth.model_name.pluralize %> < ActiveRecord::Migration<%
       # t.datetime :invitation_sent_at
       # t.datetime :invitation_accepted_at
       # t.datetime :invitation_created_at
+
+      ## Lockable
+      # t.integer :failed_attempts
+      # t.string :unlock_token
+      # t.datetime :first_failed_attempt_at
+      # t.datetime :locked_at
     end
   end
 end

data/lib/rails_jwt_auth/version.rb

@@ -1,3 +1,3 @@
 module RailsJwtAuth
-  VERSION = '1.3.1'
+  VERSION = '1.7.3'
 end

data/lib/rails_jwt_auth.rb

@@ -59,6 +59,24 @@ module RailsJwtAuth
   mattr_accessor :deliver_later
   self.deliver_later = false
 
+  mattr_accessor :maximum_attempts
+  self.maximum_attempts = 3
+
+  mattr_accessor :lock_strategy
+  self.lock_strategy = :none
+
+  mattr_accessor :unlock_strategy
+  self.unlock_strategy = :time
+
+  mattr_accessor :unlock_in
+  self.unlock_in = 60.minutes
+
+  mattr_accessor :reset_attempts_in
+  self.unlock_in = 60.minutes
+
+  mattr_accessor :unlock_url
+  self.unlock_url = nil
+
   def self.model
     model_name.constantize
   end
@@ -96,4 +114,9 @@ module RailsJwtAuth
 
     field_name
   end
+
+  def self.send_email(method, user)
+    mailer = RailsJwtAuth::Mailer.with(user_id: user.id.to_s).public_send(method)
+    RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_jwt_auth
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.7.3
 platform: ruby
 authors:
 - rjurado
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-19 00:00:00.000000000 Z
+date: 2020-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -45,9 +45,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -55,11 +52,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6.1'
-description: Rails authentication solution based on Warden and JWT and inspired by
-  Devise.
+description: Rails-API authentication solution based on JWT and inspired by Devise.
 email:
 - rjurado@openmailbox.org
 executables: []
@@ -77,17 +70,20 @@ files:
 - app/controllers/rails_jwt_auth/passwords_controller.rb
 - app/controllers/rails_jwt_auth/registrations_controller.rb
 - app/controllers/rails_jwt_auth/sessions_controller.rb
+- app/controllers/rails_jwt_auth/unlocks_controller.rb
 - app/controllers/unauthorized_controller.rb
 - app/mailers/rails_jwt_auth/mailer.rb
 - app/models/concerns/rails_jwt_auth/authenticatable.rb
 - app/models/concerns/rails_jwt_auth/confirmable.rb
 - app/models/concerns/rails_jwt_auth/invitable.rb
+- app/models/concerns/rails_jwt_auth/lockable.rb
 - app/models/concerns/rails_jwt_auth/recoverable.rb
 - app/models/concerns/rails_jwt_auth/trackable.rb
 - app/views/rails_jwt_auth/mailer/confirmation_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/email_changed.html.erb
 - app/views/rails_jwt_auth/mailer/reset_password_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/send_invitation.html.erb
+- app/views/rails_jwt_auth/mailer/send_unlock_instructions.html.erb
 - app/views/rails_jwt_auth/mailer/set_password_instructions.html.erb
 - config/locales/en.yml
 - lib/generators/rails_jwt_auth/install_generator.rb
@@ -118,8 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Rails jwt authentication.