rails_jwt_auth 1.7.2 → 2.0.3

data/app/models/concerns/rails_jwt_auth/trackable.rb

@@ -1,9 +1,18 @@
 module RailsJwtAuth
   module Trackable
-    def update_tracked_fields!(request)
+    def track_session_info(request)
+      return unless request
+
       self.last_sign_in_at = Time.current
       self.last_sign_in_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
-      save(validate: false)
+    end
+
+    def update_tracked_request_info(request)
+      return unless request
+
+      self.last_request_at = Time.current
+      self.last_request_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
+      self.save(validate: false)
     end
 
     def self.included(base)
@@ -11,6 +20,8 @@ module RailsJwtAuth
         if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
           field :last_sign_in_at, type: Time
           field :last_sign_in_ip, type: String
+          field :last_request_at, type: Time
+          field :last_request_ip, type: String
         end
       end
     end

data/app/views/rails_jwt_auth/mailer/confirmation_instructions.html.erb

@@ -2,4 +2,4 @@
 
 <p>You can confirm your account email through the link below:</p>
 
-<p><%= link_to 'Confirm my account', @confirmations_url.html_safe %></p>
+<p><%= link_to 'Confirm my account', @confirm_email_url.html_safe %></p>

data/app/views/rails_jwt_auth/mailer/{send_invitation.html.erb → invitation_instructions.html.erb}

@@ -3,4 +3,4 @@
 <p>Someone has sent you an invitation to App.</p>
 <p>To complete registration setting a password, please click the following link.</p>
 
-<p><%= link_to "Accept invitation", @invitations_url.html_safe %></p>
+<p><%= link_to "Accept invitation", @accept_invitation_url.html_safe %></p>

data/app/views/rails_jwt_auth/mailer/password_changed_notification.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @user[RailsJwtAuth.email_field_name] %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/app/views/rails_jwt_auth/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
-<p><%= link_to 'Change my password', @reset_passwords_url.html_safe %></p>
+<p><%= link_to 'Change my password', @reset_password_url.html_safe %></p>
 
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/rails_jwt_auth/mailer/{send_unlock_instructions.html.erb → unlock_instructions.html.erb}

@@ -4,4 +4,4 @@
 
 <p>Click the link below to unlock your account:</p>
 
-<p><%= link_to 'Unlock my account', @unlock_url.html_safe %></p>
+<p><%= link_to 'Unlock my account', @unlock_account_url.html_safe %></p>

data/config/locales/en.yml

@@ -5,11 +5,11 @@ en:
         subject: "Confirmation instructions"
       reset_password_instructions:
         subject: "Reset password instructions"
-      set_password_instructions:
-        subject: "Set password instructions"
-      send_invitation:
+      invitation_instructions:
         subject: "Someone has sent you an invitation!"
-      email_changed:
-        subject: "Email changed"
-      send_unlock_instructions:
+      email_change_requested_notification:
+        subject: "Email change"
+      password_changed_notification:
+        subject: "Password changed"
+      unlock_instructions:
         subject: "Unlock instructions"

data/lib/generators/rails_jwt_auth/install_generator.rb

@@ -8,10 +8,18 @@ class RailsJwtAuth::InstallGenerator < Rails::Generators::Base
   def create_routes
     route "resource :session, controller: 'rails_jwt_auth/sessions', only: [:create, :destroy]"
     route "resource :registration, controller: 'rails_jwt_auth/registrations', only: [:create]"
+    route %q(
+      resource :profile, controller: 'rails_jwt_auth/profiles', only: %i[show update] do
+        collection do
+          put :email
+          put :password
+        end
+      end
+    )
 
     route "resources :confirmations, controller: 'rails_jwt_auth/confirmations', only: [:create, :update]"
-    route "resources :passwords, controller: 'rails_jwt_auth/passwords', only: [:create, :update]"
-    route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:create, :update]"
-    route "resources :unlocks, controller: 'rails_jwt_auth/unlocks', only: %i[update]"
+    route "resources :reset_passwords, controller: 'rails_jwt_auth/reset_passwords', only: [:show, :create, :update]"
+    route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:show, :create, :update]"
+    route "resources :unlock_accounts, controller: 'rails_jwt_auth/unlock_accounts', only: %i[update]"
   end
 end

data/lib/generators/templates/initializer.rb

@@ -1,65 +1,79 @@
 RailsJwtAuth.setup do |config|
   # authentication model class name
-  #config.model_name = 'User'
+  # config.model_name = 'User'
 
   # field name used to authentication with password
-  #config.auth_field_name = 'email'
+  # config.auth_field_name = 'email'
 
   # define email field name used to send emails
-  #config.email_field_name = 'email'
+  # config.email_field_name = 'email'
+
+  # Regex used to validate email input on requests like reset password
+  # config.email_regex = URI::MailTo::EMAIL_REGEXP
+
+  # apply downcase to auth field when save user and when init session
+  # config.downcase_auth_field = false
 
   # expiration time for generated tokens
-  #config.jwt_expiration_time = 7.days
+  # config.jwt_expiration_time = 7.days
 
   # the "iss" (issuer) claim identifies the principal that issued the JWT
-  #config.jwt_issuer = 'RailsJwtAuth'
+  # config.jwt_issuer = 'RailsJwtAuth'
 
   # number of simultaneously sessions for an user
-  #config.simultaneous_sessions = 2
+  # config.simultaneous_sessions = 2
+
+  # mailer class name
+  # config.mailer_name = 'RailsJwtAuth::Mailer'
 
   # mailer sender
-  #config.mailer_sender = 'initialize-mailer_sender@example.com'
+  # config.mailer_sender = 'initialize-mailer_sender@example.com'
+
+  # activate email notification when email is changed
+  # config.send_email_change_requested_notification = true
+
+  # activate email notification when password is changed
+  # config.send_password_changed_notification = true
 
   # expiration time for confirmation tokens
-  #config.confirmation_expiration_time = 1.day
+  # config.confirmation_expiration_time = 1.day
 
   # expiration time for reset password tokens
-  #config.reset_password_expiration_time = 1.day
+  # config.reset_password_expiration_time = 1.day
 
   # time an invitation is valid after sent
   # config.invitation_expiration_time = 2.days
 
-  # url used to create email link with confirmation token
-  #config.confirmations_url = 'http://frontend.com/confirmation'
-
-  # url used to create email link with reset password token
-  #config.reset_passwords_url = 'http://frontend.com/reset_password'
-
-  # url used to create email link with set password token
-  # by set_and_send_password_instructions method
-  #config.set_passwords_url = 'http://frontend.com/set_password'
-
-  # url used to create email link with activation token parameter to accept invitation
-  #config.invitations_url = 'http://frontend.com/accept_invitation'
-
   # uses deliver_later to send emails instead of deliver method
-  #config.deliver_later = false
+  # config.deliver_later = false
 
   # maximum login attempts before locking an account
-  #config.maximum_attempts = 3
+  # config.maximum_attempts = 3
 
   # strategy to lock an account: :none or :failed_attempts
-  #config.lock_strategy = :failed_attempts
+  # config.lock_strategy = :failed_attempts
 
   # strategy to use when unlocking accounts: :time, :email or :both
-  #config.unlock_strategy = :time
+  # config.unlock_strategy = :time
 
   # interval to unlock an account if unlock_strategy is :time
-  #config.unlock_in = 60.minutes
+  # config.unlock_in = 60.minutes
 
   # interval after which to reset failed attempts counter of an account
-  #config.reset_attempts_in = 60.minutes
+  # config.reset_attempts_in = 60.minutes
+  #
+  # url used to create email link with confirmation token
+  # config.confirm_email_url = 'http://frontend.com/confirm-email'
+
+  # url used to create email link with reset password token
+  # config.reset_password_url = 'http://frontend.com/reset-password'
+
+  # url used to create email link with activation token parameter to accept invitation
+  # config.accept_invitation_url = 'http://frontend.com/accept-invitation'
 
   # url used to create email link with unlock token
-  #config.unlock_url = 'http://frontend.com/unlock-account'
+  # config.unlock_account_url = 'http://frontend.com/unlock-account'
+
+  # set false to avoid giving clue about the existing emails with errors
+  # config.avoid_email_errors = true
 end

data/lib/generators/templates/migration.rb

@@ -18,12 +18,13 @@ class Create<%= RailsJwtAuth.model_name.pluralize %> < ActiveRecord::Migration<%
       ## Trackable
       # t.string :last_sign_in_ip
       # t.datetime :last_sign_in_at
+      # t.string :last_request_ip
+      # t.datetime :last_request_at
 
       ## Invitable
       # t.string :invitation_token
       # t.datetime :invitation_sent_at
       # t.datetime :invitation_accepted_at
-      # t.datetime :invitation_created_at
 
       ## Lockable
       # t.integer :failed_attempts

data/lib/rails_jwt_auth.rb

@@ -1,15 +1,16 @@
+require 'active_support/core_ext/integer/time'
 require 'bcrypt'
 
 require 'rails_jwt_auth/engine'
 require 'rails_jwt_auth/jwt_manager'
+require 'rails_jwt_auth/session'
 
 module RailsJwtAuth
-  InvalidEmailField = Class.new(StandardError)
-  InvalidAuthField = Class.new(StandardError)
   NotConfirmationsUrl = Class.new(StandardError)
   NotInvitationsUrl = Class.new(StandardError)
   NotResetPasswordsUrl = Class.new(StandardError)
-  NotSetPasswordsUrl = Class.new(StandardError)
+  NotUnlockUrl = Class.new(StandardError)
+  InvalidJwtPayload = Class.new(StandardError)
 
   mattr_accessor :model_name
   self.model_name = 'User'
@@ -20,6 +21,12 @@ module RailsJwtAuth
   mattr_accessor :email_field_name
   self.email_field_name = 'email'
 
+  mattr_accessor :email_regex
+  self.email_regex = URI::MailTo::EMAIL_REGEXP
+
+  mattr_accessor :downcase_auth_field
+  self.downcase_auth_field = false
+
   mattr_accessor :jwt_expiration_time
   self.jwt_expiration_time = 7.days
 
@@ -29,11 +36,17 @@ module RailsJwtAuth
   mattr_accessor :simultaneous_sessions
   self.simultaneous_sessions = 2
 
+  mattr_accessor :mailer_name
+  self.mailer_name = 'RailsJwtAuth::Mailer'
+
   mattr_accessor :mailer_sender
   self.mailer_sender = 'initialize-mailer_sender@example.com'
 
-  mattr_accessor :send_email_changed_notification
-  self.send_email_changed_notification = true
+  mattr_accessor :send_email_change_requested_notification
+  self.send_email_change_requested_notification = true
+
+  mattr_accessor :send_password_changed_notification
+  self.send_password_changed_notification = true
 
   mattr_accessor :confirmation_expiration_time
   self.confirmation_expiration_time = 1.day
@@ -44,18 +57,6 @@ module RailsJwtAuth
   mattr_accessor :invitation_expiration_time
   self.invitation_expiration_time = 2.days
 
-  mattr_accessor :confirmations_url
-  self.confirmations_url = nil
-
-  mattr_accessor :reset_passwords_url
-  self.reset_passwords_url = nil
-
-  mattr_accessor :set_passwords_url
-  self.set_passwords_url = nil
-
-  mattr_accessor :invitations_url
-  self.invitations_url = nil
-
   mattr_accessor :deliver_later
   self.deliver_later = false
 
@@ -72,51 +73,49 @@ module RailsJwtAuth
   self.unlock_in = 60.minutes
 
   mattr_accessor :reset_attempts_in
-  self.unlock_in = 60.minutes
+  self.reset_attempts_in = 60.minutes
 
-  mattr_accessor :unlock_url
-  self.unlock_url = nil
+  mattr_accessor :confirm_email_url
+  self.confirm_email_url = nil
 
-  def self.model
-    model_name.constantize
-  end
+  mattr_accessor :reset_password_url
+  self.reset_password_url = nil
 
-  def self.table_name
-    model_name.underscore.pluralize
-  end
+  mattr_accessor :accept_invitation_url
+  self.accept_invitation_url = nil
+
+  mattr_accessor :unlock_account_url
+  self.unlock_account_url = nil
+
+  mattr_accessor :avoid_email_errors
+  self.avoid_email_errors = true
 
   def self.setup
     yield self
   end
 
-  def self.auth_field_name!
-    field_name = RailsJwtAuth.auth_field_name
-    klass = RailsJwtAuth.model
-
-    unless field_name.present? &&
-           (klass.respond_to?(:column_names) && klass.column_names.include?(field_name) ||
-            klass.respond_to?(:fields) && klass.fields[field_name])
-      raise RailsJwtAuth::InvalidAuthField
-    end
-
-    field_name
+  def self.model
+    model_name.constantize
   end
 
-  def self.email_field_name!
-    field_name = RailsJwtAuth.email_field_name
-    klass = RailsJwtAuth.model
+  def self.mailer
+    mailer_name.constantize
+  end
 
-    unless field_name.present? &&
-           (klass.respond_to?(:column_names) && klass.column_names.include?(field_name) ||
-            klass.respond_to?(:fields) && klass.fields[field_name])
-      raise RailsJwtAuth::InvalidEmailField
-    end
+  def self.table_name
+    model_name.underscore.pluralize
+  end
 
-    field_name
+  # Thanks to https://github.com/heartcombo/devise/blob/master/lib/devise.rb#L496
+  def self.friendly_token(length = 24)
+    # To calculate real characters, we must perform this operation.
+    # See SecureRandom.urlsafe_base64
+    rlength = (length * 3 / 4) - 1
+    SecureRandom.urlsafe_base64(rlength, true).tr('lIO0', 'sxyz')
   end
 
   def self.send_email(method, user)
-    mailer = RailsJwtAuth::Mailer.with(user_id: user.id.to_s).public_send(method)
+    mailer = RailsJwtAuth.mailer.with(user_id: user.id.to_s).public_send(method)
     RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
   end
 end

data/lib/rails_jwt_auth/jwt_manager.rb

@@ -8,6 +8,8 @@ module RailsJwtAuth
 
     # Encodes and signs JWT Payload with expiration
     def self.encode(payload)
+      raise InvalidJwtPayload unless payload
+
       payload.reverse_merge!(meta)
       JWT.encode(payload, secret_key_base)
     end
@@ -25,9 +27,5 @@ module RailsJwtAuth
         iss: RailsJwtAuth.jwt_issuer
       }
     end
-
-    def self.decode_from_request(request)
-      decode(request.env['HTTP_AUTHORIZATION']&.split&.last)
-    end
   end
 end

data/lib/rails_jwt_auth/session.rb

@@ -0,0 +1,128 @@
+module RailsJwtAuth
+  class Session
+    attr_reader :user, :errors, :jwt
+
+    Errors = Struct.new :details # simulate ActiveModel::Errors
+
+    def initialize(params={})
+      @auth_field_value = (params[RailsJwtAuth.auth_field_name] || '').strip
+      @auth_field_value.downcase! if RailsJwtAuth.downcase_auth_field
+      @password = params[:password]
+
+      find_user if @auth_field_value.present?
+    end
+
+    def valid?
+      validate!
+
+      !errors?
+    end
+
+    def generate!(request)
+      if valid?
+        user.clean_reset_password if recoverable?
+        user.clean_lock if lockable?
+        user.track_session_info(request) if trackable?
+        user.load_auth_token
+
+        unless user.save
+          add_error(RailsJwtAuth.model_name.underscore, :invalid)
+
+          return false
+        end
+
+        generate_jwt(request)
+
+        true
+      else
+        user.failed_attempt if lockable?
+
+        false
+      end
+    end
+
+    private
+
+    def validate!
+      # Can't use ActiveModel::Validations since we have dynamic fields
+      @errors = Errors.new({})
+
+      validate_auth_field_presence
+      validate_password_presence
+      validate_user_exist
+      validate_user_is_confirmed if confirmable?
+      validate_user_is_not_locked if lockable?
+      validate_user_password unless errors?
+      validate_custom
+    end
+
+    def find_user
+      @user = RailsJwtAuth.model.where(RailsJwtAuth.auth_field_name => @auth_field_value).first
+    end
+
+    def confirmable?
+      @user&.kind_of?(RailsJwtAuth::Confirmable)
+    end
+
+    def lockable?
+      @user&.kind_of?(RailsJwtAuth::Lockable)
+    end
+
+    def recoverable?
+      @user&.kind_of?(RailsJwtAuth::Recoverable)
+    end
+
+    def trackable?
+      @user&.kind_of?(RailsJwtAuth::Trackable)
+    end
+
+    def user?
+      @user.present?
+    end
+
+    def field_error(field)
+      RailsJwtAuth.avoid_email_errors ? :session : field
+    end
+
+    def validate_auth_field_presence
+      add_error(RailsJwtAuth.auth_field_name, :blank) if @auth_field_value.blank?
+    end
+
+    def validate_password_presence
+      add_error(:password, :blank) if @password.blank?
+    end
+
+    def validate_user_exist
+      add_error(field_error(RailsJwtAuth.auth_field_name), :invalid) unless @user
+    end
+
+    def validate_user_password
+      add_error(field_error(:password), :invalid) unless @user.authenticate(@password)
+    end
+
+    def validate_user_is_confirmed
+      add_error(RailsJwtAuth.email_field_name, :unconfirmed) unless @user.confirmed?
+    end
+
+    def validate_user_is_not_locked
+      add_error(RailsJwtAuth.email_field_name, :locked) if @user.access_locked?
+    end
+
+    def validate_custom
+      # allow add custom validations overwriting this method
+    end
+
+    def add_error(field, detail)
+      @errors.details[field.to_sym] ||= []
+      @errors.details[field.to_sym].push({error: detail})
+    end
+
+    def errors?
+      @errors.details.any?
+    end
+
+    def generate_jwt(request)
+      @jwt = JwtManager.encode(user.to_token_payload(request))
+    end
+  end
+end