rails_jwt_auth 1.6.1 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a366c8d045f041a81ddb16e375a052f19dc011038d408c79dde19c31e6696968
-  data.tar.gz: eafb8cf07deb41c01bf719fda8e66b2b5e6d8cc620bdc418dbd8ffa9d6f55ba1
+  metadata.gz: c3ebe38a69058ce05f15ec6ffce2a2d91654a4839596f710d099d5bfa8098173
+  data.tar.gz: e565d1eaeec61e94456190e0839e7462bc5d2578d5059c7fda24ff8e1fbc3823
 SHA512:
-  metadata.gz: 3a29adeb02a5e05ad95773eccdedbdeb53649f5e493c23e16a65541ac8191f39532308faed100866ab6c79ded869b6476e99dbac4257f27c27a5dbb920d31f71
-  data.tar.gz: 39d19de7185410e1e8ecdcadaa13674a9ef520e3a0f91edeb883dddd43aa1ca3ed72187a810df475f20004f572a39796c27ebe4d815fa3f12791473d4f1696f4
+  metadata.gz: d3a2e4a93d66ac10a88cd45e6bcf50a2e21977ec4bd1fb1e71df9cc837dce910f401c5d0f8c61e851e3a41773b9e6b61555b1fd8aa23de0d915770f8d3e450f2
+  data.tar.gz: 4541e70821d3f2e104702012107d3ee10ca30a26e3e773aacca3af6327846cb4695dd4416cb619ab750e8976b63b001cbb93687f080dfce0ea6d73c3d01afdbd

data/README.md

@@ -5,8 +5,10 @@
 
 Rails-API authentication solution based on JWT and inspired by Devise.
 
-> This is documentation for version `1.x`. If you are using `0.x` version use this
-[link](https://github.com/rjurado01/rails_jwt_auth/tree/0.x)
+> This is documentation for version `2.x`. If you are using `1.x` version use this
+[link](https://github.com/rjurado01/rails_jwt_auth/tree/1.x)
+
+> Version 2.x introduces incompatible API changes.
 
 ## Table of Contents
 
@@ -61,30 +63,34 @@ rails g rails_jwt_auth:migrate
 
 You can edit configuration options into `config/initializers/rails_jwt_auth.rb` file created by generator.
 
-| Option                          | Default value     | Description                                                            |
-| ------------------------------- | ----------------- | ---------------------------------------------------------------------- |
-| model_name                      | 'User'            | Authentication model name                                              |
-| auth_field_name                 | 'email'           | Field used to authenticate user with password                          |
-| email_auth_field                | 'email'           | Field used to send emails                                              |
-| jwt_expiration_time             | 7.days            | Tokens expiration time                                                 |
-| jwt_issuer                      | 'RailsJwtAuth'    | The "iss" (issuer) claim identifies the principal that issued the JWT  |
-| simultaneous_sessions           | 2                 | Number of simultaneous sessions for an user. Set 0 to disable sessions |
-| mailer_sender                   |                   | E-mail address which will be shown in RailsJwtAuth::Mailer             |
-| send_email_changed_notification | true              | Notify original email when it changes                                  |
-| confirmation_expiration_time    | 1.day             | Confirmation token expiration time                                     |
-| reset_password_expiration_time  | 1.day             | Confirmation token expiration time                                     |
-| deliver_later                   | false             | Uses `deliver_later` method to send emails                             |
-| invitation_expiration_time      | 2.days            | Time an invitation is valid and can be accepted                        |
-| confirmations_url               | nil               | Url used to create email link with confirmation token                  |
-| reset_passwords_url             | nil               | Url used to create email link with reset password token                |
-| set_passwords_url               | nil               | Url used to create email link with set password token                  |
-| invitations_url                 | nil               | Url used to create email link with invitation token                    |
-| maximum_attempts                | 3                 | Number of failed login attempts before locking an account              |
-| lock_strategy                   | :none             | Strategy to be used to lock an account: `:none` or `:failed_attempts`  |
-| unlock_strategy                 | :time             | Strategy to use when unlocking accounts: `:time`, `:email` or `:both`  |
-| unlock_in                       | 60.minutes        | Interval to unlock an account if `unlock_strategy` is `:time`          |
-| reset_attempts_in               | 60.minutes        | Interval after which to reset failed attempts counter of an account    |
-| unlock_url                      | nil               | Url used to create email link with unlock token                        |
+| Option                                    | Default value              | Description                                                            |
+| ----------------------------------        | ----------------           | ---------------------------------------------------------------------- |
+| model_name                                | `'User'`                   | Authentication model name                                              |
+| auth_field_name                           | `'email'`                  | Field used to authenticate user with password                          |
+| email_auth_field                          | `'email'`                  | Field used to send emails                                              |
+| email_regex                               | `URI::MailTo::EMAIL_REGEXP`| Regex used to validate email input on requests like reset password     |
+| downcase_auth_field                       | `false`                    | Apply downcase to auth field when save user and when init session      |
+| jwt_expiration_time                       | `7.days`                   | Tokens expiration time                                                 |
+| jwt_issuer                                | `'RailsJwtAuth'`           | The "iss" (issuer) claim identifies the principal that issued the JWT  |
+| simultaneous_sessions                     | `2`                        | Number of simultaneous sessions for an user. Set 0 to disable sessions |
+| mailer_name                               | `'RailsJwtAuth::Mailer'`   | Authentication model name                                              |
+| mailer_sender                             | `...@example.com`          | E-mail address which will be shown in RailsJwtAuth::Mailer             |
+| send_email_change_requested_notification  | `true`                     | Notify original email when change is requested (unconfirmed)           |
+| send_password_changed_notification        | `true`                     | Notify email when password changes                                     |
+| confirmation_expiration_time              | `1.day`                    | Confirmation token expiration time                                     |
+| reset_password_expiration_time            | `1.day`                    | Confirmation token expiration time                                     |
+| deliver_later                             | `false`                    | Uses `deliver_later` method to send emails                             |
+| invitation_expiration_time                | `2.days`                   | Time an invitation is valid and can be accepted                        |
+| lock_strategy                             | `:none`                    | Strategy to be used to lock an account: `:none` or `:failed_attempts`  |
+| unlock_strategy                           | `:time`                    | Strategy to use when unlocking accounts: `:time`, `:email` or `:both`  |
+| unlock_in                                 | `60.minutes`               | Interval to unlock an account if `unlock_strategy` is `:time`          |
+| reset_attempts_in                         | `60.minutes`               | Interval after which to reset failed attempts counter of an account    |
+| maximum_attempts                          | `3`                        | Number of failed login attempts before locking an account              |
+| confirm_email_url                         | `nil`                      | Your web url where emai link redirects with confirmation token         |
+| reset_password_url                        | `nil`                      | Your web url where emai link redirects with reset password token       |
+| accept_invitation_url                     | `nil`                      | Your web url where emai link redirects with invitation token           |
+| unlock_account_url                        | `nil`                      | Your web url where emai link redirects with unlock token               |
+| avoid_email_errors                        | `true`                     | Avoid returns email errors to avoid giving clue to an attacker         |
 
 ## Modules
 
@@ -95,7 +101,7 @@ It's composed of 6 modules:
 | Authenticable | Hashes and stores a password in the database to validate the authenticity of a user while signing in            |
 | Confirmable   | Sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in |
 | Recoverable   | Resets the user password and sends reset instructions                                                           |
-| Trackable     | Tracks sign in timestamps and IP address                                                                        |
+| Trackable     | Tracks sign in and request timestamps and IP address                                                            |
 | Invitable     | Allows you to invite an user to your application sending an invitation mail                                     |
 | Lockable      | Locks the user after a specified number of failed sign in attempts                                              |
 
@@ -197,20 +203,24 @@ end
 
 ## Default Controllers API
 
-|       Prefix | Verb   | URI Pattern                  | Controller#Action                   |
-| ------------ | ------ | ---------------------------- | ----------------------------------- |
-|      session | DELETE | /session(.:format)           | rails_jwt_auth/sessions#destroy     |
-|              | POST   | /session(.:format)           | rails_jwt_auth/sessions#create      |
-| registration | POST   | /registration(.:format)      | rails_jwt_auth/registrations#create |
-|confirmations | POST   | /confirmations(.:format)     | rails_jwt_auth/confirmations#create |
-| confirmation | PATCH  | /confirmations/:id(.:format) | rails_jwt_auth/confirmations#update |
-|              | PUT    | /confirmations/:id(.:format) | rails_jwt_auth/confirmations#update |
-|    passwords | POST   | /passwords(.:format)         | rails_jwt_auth/passwords#create     |
-|     password | PATCH  | /passwords/:id(.:format)     | rails_jwt_auth/passwords#update     |
-|              | PUT    | /passwords/:id(.:format)     | rails_jwt_auth/passwords#update     |
-|  invitations | POST   | /invitations(.:format)       | rails_jwt_auth/invitations#create   |
-|   invitation | PATCH  | /invitations/:id(.:format)   | rails_jwt_auth/invitations#update   |
-|              | PUT    | /invitations/:id(.:format)   | rails_jwt_auth/invitations#update   |
+|       Prefix     | Verb   | URI Pattern                    | Controller#Action                     |
+| ---------------- | ------ | ------------------------------ | -----------------------------------   |
+|          session | DELETE | /session(.:format)             | rails_jwt_auth/sessions#destroy       |
+|                  | POST   | /session(.:format)             | rails_jwt_auth/sessions#create        |
+|     registration | POST   | /registration(.:format)        | rails_jwt_auth/registrations#create   |
+|          profile | GET    | /profile(.:format)             | rails_jwt_auth/profiles#show          |
+|     mail_profile | PUT    | /profile/email(.:format)       | rails_jwt_auth/profiles#email         |
+| password_profile | PUT    | /profile/password(.:format)    | rails_jwt_auth/profiles#password      |
+|                  | PUT    | /profile(.:format)             | rails_jwt_auth/profiles#update        |
+|    confirmations | POST   | /confirmations(.:format)       | rails_jwt_auth/confirmations#create   |
+|     confirmation | PUT    | /confirmations/:id(.:format)   | rails_jwt_auth/confirmations#update   |
+|  reset_passwords | POST   | /reset_passwords(.:format)     | rails_jwt_auth/reset_passwords#create |
+|   reset_password | GET    | /reset_passwords/:id(.:format) | rails_jwt_auth/reset_passwords#show   |
+|                  | PUT    | /reset_passwords/:id(.:format) | rails_jwt_auth/reset_passwords#update |
+|      invitations | POST   | /invitations(.:format)         | rails_jwt_auth/invitations#create     |
+|       invitation | GET    | /invitations/:id(.:format)     | rails_jwt_auth/invitations#show       |
+|                  | PUT    | /invitations/:id(.:format)     | rails_jwt_auth/invitations#update     |
+|   unlock_account | PUT    | /unlock_accounts/:id(.:format) | rails_jwt_auth/unlock_accounts#update |
 
 ### Session
 
@@ -254,12 +264,73 @@ Registration api is defined by `RailsJwtAuth::RegistrationsController`.
   data: {
     user: {
       email: 'user@email.com',
-      password: '12345678'
+      password: 'xxxx'
     }
   }
 }
 ```
 
+### Profile
+
+Profile api let you get/update your user info and is defined by `RailsJwtAuth::ProfilesController`.
+
+1. Get user info:
+
+```js
+{
+  url: host/profile,
+  method: GET,
+  headers: { 'Authorization': 'Bearer auth_token'}
+}
+```
+
+2. Update user info:
+
+```js
+{
+  url: host/profile,
+  method: PUT,
+  data: {
+    profile: {
+      name: 'new_name',
+    }
+  },
+  headers: { 'Authorization': 'Bearer auth_token'}
+}
+```
+
+3. Update user password:
+
+```js
+{
+  url: host/profile/password,
+  method: PUT,
+  data: {
+    profile: {
+      current_password: 'xxxx',
+      password: 'yyyy',
+    }
+  },
+  headers: { 'Authorization': 'Bearer auth_token'}
+}
+```
+
+4. Update user email (needs confirmation module):
+
+```js
+{
+  url: host/profile/email,
+  method: PUT,
+  data: {
+    profile: {
+      email: 'new@email.com',
+      password: 'xxxx', # email change is protected by password
+    }
+  },
+  headers: { 'Authorization': 'Bearer auth_token'}
+}
+```
+
 ### Confirmation
 
 Confirmation api is defined by `RailsJwtAuth::ConfirmationsController`.
@@ -292,30 +363,41 @@ It is necessary to set a value for `confirmations_url` option into `config/initi
 
 ### Password
 
-Password api is defined by `RailsJwtAuth::PasswordsController`.
+Reset password api is defined by `RailsJwtAuth::ResetPasswordsController`.
 
-1.  Send reset password email:
+1.  Send reset password email (init reset password process):
 
 ```js
 {
-  url: host/passwords,
+  url: host/reset_passwords,
   method: POST,
   data: {
-    password: {
+    reset_password: {
       email: 'user@example.com'
     }
   }
 }
 ```
 
-2.  Update password:
+2.  Check token validation:
+
+Used to verify token and show an alert in your web before new password is setted.
+
+```js
+{
+  url: host/reset_passwords/:token,
+  method: GET
+}
+```
+
+3.  Update password:
 
 ```js
 {
   url: host/passwords/:token,
   method: PUT,
   data: {
-    password: {
+    reset_password: {
       password: '1234',
       password_confirmation: '1234'
     }
@@ -342,7 +424,18 @@ Invitations api is provided by `RailsJwtAuth::InvitationsController`.
 }
 ```
 
-2.  Accept an invitation:
+2.  Check token validation:
+
+Used to verify token and show an alert in your web before invitation data is completed.
+
+```js
+{
+  url: host/invitations/:token,
+  method: GET
+}
+```
+
+3.  Accept an invitation:
 
 ```js
 {
@@ -367,7 +460,7 @@ Unlock api is provided by `RailsJwtAuth::UnlocksController`.
 
 ```js
 {
-  url: host/unlocks/:unlock_token,
+  url: host/unlock_accounts/:unlock_token,
   method: PUT,
   data: {}
 }
@@ -418,7 +511,7 @@ class User < ApplicationRecord
 
   def to_token_payload(request)
     {
-      auth_token: regenerate_auth_token,
+      auth_token: auth_tokens.last,
       # add here your custom info
     }
   end
@@ -427,63 +520,69 @@ end
 
 ### Custom responses
 
-You can overwrite `RailsJwtAuth::RenderHelper` to customize controllers responses.
+You can overwrite `RailsJwtAuth::RenderHelper` to customize controllers responses 
+without need to overwrite each controller.
 
-### Custom strong parameters
+Example:
 
-You can overwrite `RailsJwtAuth::ParamsHelper` to customize controllers strong parameters.
+```ruby
+# app/controllers/concerns/rails_jwt_auth/render_helper.rb
 
-## Examples
+module RailsJwtAuth
+  module RenderHelper
+    private
 
-### Edit user information
+    def render_session(jwt, user)
+      # add custom field to session response
+      render json: {session: {jwt: jwt, my_custom_field: user.custom_field}}, status: 201
+    end
 
-This is a controller example that allows users to edit their `email` and `password`.
+  ...
+end
+```
+
+### Custom strong parameters
+
+You can overwrite `RailsJwtAuth::ParamsHelper` to customize controllers strong parameters 
+without need to overwrite each controller.
+
+Example:
 
 ```ruby
-class CurrentUserController < ApplicationController
-  before_action 'authenticate!'
-
-  def update
-    if update_params[:password]
-      # update password and remove other sessions tokens
-      current_user.update_with_password(
-        update_params.merge(auth_tokens: [jwt_payload['auth_token']])
-      )
-    else
-      current_user.update_attributes(update_params)
-    end
-  end
+# app/controllers/concerns/rails_jwt_auth/params_helper.rb
 
-  private
+module RailsJwtAuth
+  module ParamsHelper
+    private
 
-  def update_params
-    params.require(:user).permit(:email, :current_password, :password)
-  end
+    def registration_create_params
+      # change root to :data
+      params.require(:data).permit(:email, :password, :password_confirmation)
+    end
+
+  ...
 end
 ```
 
-### Register users with random password
+#### Custom mailer
 
-This is a controller example that allows admins to register users with random password and send email to reset it.
-If registration is sucess it will send email to `set_password_url` with reset password token.
+To use a custom mailer, create a class that extends RailsJwtAuth::Mailer, like this:
 
 ```ruby
-class UsersController < ApplicationController
-  before_action 'authenticate!'
+class CustomMailer < RailsJwtAuth::Mailer
+  def confirmation_instructions(user)
+    # set your custom code here
 
-  def create
-    user = User.new(create_params)
-    user.set_and_send_password_instructions ? render_204 : render_422(user.errors.details)
-  end
-
-  private
-
-  def create_params
-    params.require(:user).permit(:email)
+    super
   end
 end
 ```
 
+Then, in your `config/initializers/rails_jwt_auth.rb`, set `config.mailer` to `"CustomMailer"`.
+
+> If you only need to customize templates, overwrite files in 'app/views/rails_jwt_auth/mailer'
+
+
 ## Testing (rspec)
 
 Require the RailsJwtAuth::Spec::Helpers helper module in `rails_helper.rb`.

data/app/controllers/concerns/rails_jwt_auth/authenticable_helper.rb

@@ -14,35 +14,43 @@ module RailsJwtAuth
       !current_user.nil?
     end
 
+    def get_jwt_from_request
+      request.env['HTTP_AUTHORIZATION']&.split&.last
+    end
+
     def authenticate!
       begin
-        @jwt_payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
+        @jwt_payload = RailsJwtAuth::JwtManager.decode(get_jwt_from_request).first
       rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
         unauthorize!
       end
 
       if !@current_user = RailsJwtAuth.model.from_token_payload(@jwt_payload)
         unauthorize!
-      elsif @current_user.respond_to? :update_tracked_fields!
-        @current_user.update_tracked_fields!(request)
+      else
+        track_request
       end
     end
 
     def authenticate
       begin
-        @jwt_payload = RailsJwtAuth::JwtManager.decode_from_request(request).first
+        @jwt_payload = RailsJwtAuth::JwtManager.decode(get_jwt_from_request).first
         @current_user = RailsJwtAuth.model.from_token_payload(@jwt_payload)
       rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
         @current_user = nil
       end
 
-      if @current_user&.respond_to? :update_tracked_fields!
-        @current_user.update_tracked_fields!(request)
-      end
+      track_request
     end
 
     def unauthorize!
       raise NotAuthorized
     end
+
+    def track_request
+      if @current_user&.respond_to? :update_tracked_request_info
+        @current_user.update_tracked_request_info(request)
+      end
+    end
   end
 end

data/app/controllers/concerns/rails_jwt_auth/params_helper.rb

@@ -16,12 +16,12 @@ module RailsJwtAuth
       params.require(:session).permit(RailsJwtAuth.auth_field_name, :password)
     end
 
-    def password_create_params
-      params.require(:password).permit(RailsJwtAuth.email_field_name)
+    def reset_password_create_params
+      params.require(:reset_password).permit(RailsJwtAuth.email_field_name)
     end
 
-    def password_update_params
-      params.require(:password).permit(:password, :password_confirmation)
+    def reset_password_update_params
+      params.require(:reset_password).permit(:password, :password_confirmation)
     end
 
     def invitation_create_params
@@ -31,5 +31,19 @@ module RailsJwtAuth
     def invitation_update_params
       params.require(:invitation).permit(:password, :password_confirmation)
     end
+
+    def profile_update_params
+      params.require(:profile).except(
+        RailsJwtAuth.auth_field_name, :current_password, :password, :password_confirmation
+      )
+    end
+
+    def profile_update_password_params
+      params.require(:profile).permit(:current_password, :password, :password_confirmation)
+    end
+
+    def profile_update_email_params
+      params.require(:profile).permit(RailsJwtAuth.auth_field_name, :password)
+    end
   end
 end