rails_jwt_auth 1.7.3 → 2.0.3

data/app/models/concerns/rails_jwt_auth/invitable.rb

@@ -11,115 +11,89 @@ module RailsJwtAuth
           field :invitation_token,         type: String
           field :invitation_sent_at,       type: Time
           field :invitation_accepted_at,   type: Time
-          field :invitation_created_at,    type: Time
         end
       end
     end
 
     module ClassMethods
       # Creates an user and sends an invitation to him.
-      # If the user is already invited and pending of completing registration
-      # the invitation is resent by email.
-      # If the user is already registered, it returns the user with a
-      # <tt>:taken</tt> on the email field.
-      #
-      # @param [Hash] attributes Hash containing user's attributes to be filled.
-      #               Must contain an email key.
-      #
-      # @return [user] The user created or found by email.
-      def invite!(attributes={})
+      def invite(attributes={})
         attrs = ActiveSupport::HashWithIndifferentAccess.new(attributes.to_h)
-        auth_field = RailsJwtAuth.auth_field_name!
+        auth_field = RailsJwtAuth.auth_field_name
         auth_attribute = attrs.delete(auth_field)
 
-        raise ArgumentError unless auth_attribute
-
         record = RailsJwtAuth.model.find_or_initialize_by(auth_field => auth_attribute)
         record.assign_attributes(attrs)
 
-        record.invite!
+        record.invite
         record
       end
     end
 
-    # Accept an invitation by clearing token and setting invitation_accepted_at
-    def accept_invitation
-      self.invitation_accepted_at = Time.current
-      self.invitation_token = nil
-    end
-
-    def accept_invitation!
-      return unless invited?
-
-      if valid_invitation?
-        accept_invitation
-        self.confirmed_at = Time.current if respond_to?(:confirmed_at) && confirmed_at.nil?
-      else
-        errors.add(:invitation_token, :invalid)
+    # Sends an invitation to user
+    # If the user has pending invitation, new one is sent
+    def invite
+      if persisted? && !invitation_token
+        errors.add(RailsJwtAuth.auth_field_name, :registered)
+        return false
       end
-    end
 
-    def invite!
-      self.invitation_created_at = Time.current if new_record?
+      @inviting = true
+      self.invitation_token = generate_invitation_token
+      self.invitation_sent_at = Time.current
 
-      unless password || password_digest
-        passw = SecureRandom.base58(16)
-        self.password = passw
-        self.password_confirmation = passw
-      end
+      return false unless save_without_password
 
-      valid?
+      RailsJwtAuth.send_email(:invitation_instructions, self)
+      true
+    ensure
+      @inviting = false
+    end
 
-      # users that are registered and were not invited are not reinvitable
-      if !new_record? && !invited?
-        errors.add(RailsJwtAuth.auth_field_name!, :taken)
-      end
+    # Finishes invitation process setting user password
+    def accept_invitation(params)
+      return false unless invitation_token.present?
 
-      # users that have already accepted an invitation are not reinvitable
-      if !new_record? && invited? && invitation_accepted_at.present?
-        errors.add(RailsJwtAuth.auth_field_name!, :taken)
-      end
+      self.assign_attributes(params)
 
-      return self unless errors.empty?
+      valid?
+      errors.add(:password, :blank) if params[:password].blank?
+      errors.add(:invitation_token, :expired) if expired_invitation_token?
 
-      generate_invitation_token if invitation_token.nil?
-      self.invitation_sent_at = Time.current
+      return false unless errors.empty?
 
-      send_invitation_mail if save(validate: false)
-      self
+      self.invitation_accepted_at = Time.current
+      self.invitation_token = nil
+      self.invitation_sent_at = nil
+      self.confirmed_at = Time.current if respond_to?(:confirmed_at) && confirmed_at.nil?
+      save
     end
 
-    def invited?
-      (persisted? && invitation_token.present?)
+    def inviting?
+      @inviting || false
     end
 
-    def generate_invitation_token!
-      generate_invitation_token && save(validate: false)
+    def valid_for_invite?
+      @inviting = true
+      valid_without_password?
+    ensure
+      @inviting = false
     end
 
-    def valid_invitation?
-      invited? && invitation_period_valid?
-    end
+    def expired_invitation_token?
+      expiration_time = RailsJwtAuth.invitation_expiration_time
+      return false if expiration_time.to_i.zero?
 
-    def accepted_invitation?
-      invitation_token.nil? && invitation_accepted_at.present?
+      invitation_sent_at && invitation_sent_at < expiration_time.ago
     end
 
     protected
 
     def generate_invitation_token
-      self.invitation_token = SecureRandom.base58(128)
-    end
-
-    def send_invitation_mail
-      RailsJwtAuth.email_field_name! # ensure email field is valid
-      RailsJwtAuth.send_email(:send_invitation, self)
-    end
-
-    def invitation_period_valid?
-      time = invitation_sent_at || invitation_created_at
-      expiration_time = RailsJwtAuth.invitation_expiration_time
-      time && (expiration_time.to_i.zero? || time >= expiration_time.ago)
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(invitation_token: token).exists?
+      end
     end
   end
 end

data/app/models/concerns/rails_jwt_auth/lockable.rb

@@ -13,66 +13,51 @@ module RailsJwtAuth
       end
     end
 
-    def lock_access!
-      self.locked_at = Time.now.utc
+    def lock_access
+      self.locked_at = Time.current
+
       save(validate: false).tap do |result|
         send_unlock_instructions if result && unlock_strategy_enabled?(:email)
       end
     end
 
-    def unlock_access!
+    def clean_lock
       self.locked_at = nil
-      self.failed_attempts = 0
-      self.first_failed_attempt_at = nil
       self.unlock_token = nil
-      save(validate: false)
+      reset_attempts
     end
 
-    def reset_attempts!
-      self.failed_attempts = 0
-      self.first_failed_attempt_at = nil
-      save(validate: false)
+    def unlock_access
+      clean_lock
+
+      save(validate: false) if changed?
     end
 
-    def authentication?(pass)
-      return super(pass) unless lock_strategy_enabled?(:failed_attempts)
+    def access_locked?
+      locked_at && !lock_expired?
+    end
 
-      reset_attempts! if !access_locked? && attempts_expired?
-      unlock_access! if lock_expired?
+    def failed_attempt
+      return if access_locked?
 
-      if access_locked?
-        false
-      elsif super(pass)
-        unlock_access!
-        self
-      else
-        failed_attempt!
-        lock_access! if attempts_exceeded?
-        false
-      end
-    end
+      reset_attempts if attempts_expired?
 
-    def unauthenticated_error
-      return super unless lock_strategy_enabled?(:failed_attempts)
+      self.failed_attempts ||= 0
+      self.failed_attempts += 1
+      self.first_failed_attempt_at = Time.current if failed_attempts == 1
 
-      if access_locked?
-        {error: :locked}
-      else
-        {error: :invalid_session, remaining_attempts: remaining_attempts}
+      save(validate: false).tap do |result|
+        lock_access if result && attempts_exceeded?
       end
     end
 
     protected
 
     def send_unlock_instructions
-      self.unlock_token = SecureRandom.base58(24)
+      self.unlock_token = generate_unlock_token
       save(validate: false)
 
-      RailsJwtAuth.send_email(:send_unlock_instructions, self)
-    end
-
-    def access_locked?
-      locked_at && !lock_expired?
+      RailsJwtAuth.send_email(:unlock_instructions, self)
     end
 
     def lock_expired?
@@ -83,25 +68,32 @@ module RailsJwtAuth
       end
     end
 
-    def failed_attempt!
-      self.failed_attempts ||= 0
-      self.failed_attempts += 1
-      self.first_failed_attempt_at = Time.now.utc if failed_attempts == 1
-      save(validate: false)
-    end
-
-    def attempts_exceeded?
-      failed_attempts && failed_attempts >= RailsJwtAuth.maximum_attempts
+    def reset_attempts
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
     end
 
     def remaining_attempts
       RailsJwtAuth.maximum_attempts - failed_attempts.to_i
     end
 
+    def attempts_exceeded?
+      !remaining_attempts.positive?
+    end
+
     def attempts_expired?
       first_failed_attempt_at && first_failed_attempt_at < RailsJwtAuth.reset_attempts_in.ago
     end
 
+    protected
+
+    def generate_unlock_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(unlock_token: token).exists?
+      end
+    end
+
     def lock_strategy_enabled?(strategy)
       RailsJwtAuth.lock_strategy == strategy
     end

data/app/models/concerns/rails_jwt_auth/recoverable.rb

@@ -10,20 +10,11 @@ module RailsJwtAuth
           field :reset_password_token,   type: String
           field :reset_password_sent_at, type: Time
         end
-
-        validate :validate_reset_password_token, if: :password_digest_changed?
-
-        before_update do
-          if password_digest_changed? && reset_password_token
-            self.reset_password_token = nil
-            self.auth_tokens = []
-          end
-        end
       end
     end
 
     def send_reset_password_instructions
-      email_field = RailsJwtAuth.email_field_name! # ensure email field es valid
+      email_field = RailsJwtAuth.email_field_name # ensure email field es valid
 
       if self.class.ancestors.include?(RailsJwtAuth::Confirmable) && !confirmed?
         errors.add(email_field, :unconfirmed)
@@ -36,35 +27,45 @@ module RailsJwtAuth
         return false
       end
 
-      self.reset_password_token = SecureRandom.base58(24)
+      self.reset_password_token = generate_reset_password_token
       self.reset_password_sent_at = Time.current
       return false unless save
 
       RailsJwtAuth.send_email(:reset_password_instructions, self)
     end
 
-    def set_and_send_password_instructions
-      RailsJwtAuth.email_field_name! # ensure email field es valid
-      return if password.present?
+    def set_reset_password(params)
+      self.assign_attributes(params)
 
-      self.password = SecureRandom.base58(48)
-      self.password_confirmation = self.password
-      self.skip_confirmation! if self.class.ancestors.include?(RailsJwtAuth::Confirmable)
+      valid?
+      errors.add(:password, :blank) if params[:password].blank?
+      errors.add(:reset_password_token, :expired) if expired_reset_password_token?
 
-      self.reset_password_token = SecureRandom.base58(24)
-      self.reset_password_sent_at = Time.current
-      return false unless save
+      return false unless errors.empty?
+
+      clean_reset_password
+      self.auth_tokens = [] # reset all sessions
+      save
+    end
+
+    def expired_reset_password_token?
+      expiration_time = RailsJwtAuth.reset_password_expiration_time
+      return false if expiration_time.to_i.zero?
+
+      reset_password_sent_at && reset_password_sent_at < expiration_time.ago
+    end
 
-      RailsJwtAuth.send_email(:set_password_instructions, self)
-      true
+    def clean_reset_password
+      self.reset_password_sent_at = nil
+      self.reset_password_token = nil
     end
 
     protected
 
-    def validate_reset_password_token
-      if reset_password_sent_at &&
-         (reset_password_sent_at < (Time.current - RailsJwtAuth.reset_password_expiration_time))
-        errors.add(:reset_password_token, :expired)
+    def generate_reset_password_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(reset_password_token: token).exists?
       end
     end
   end

data/app/models/concerns/rails_jwt_auth/trackable.rb

@@ -1,9 +1,18 @@
 module RailsJwtAuth
   module Trackable
-    def update_tracked_fields!(request)
+    def track_session_info(request)
+      return unless request
+
       self.last_sign_in_at = Time.current
       self.last_sign_in_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
-      save(validate: false)
+    end
+
+    def update_tracked_request_info(request)
+      return unless request
+
+      self.last_request_at = Time.current
+      self.last_request_ip = request.respond_to?(:remote_ip) ? request.remote_ip : request.ip
+      self.save(validate: false)
     end
 
     def self.included(base)
@@ -11,6 +20,8 @@ module RailsJwtAuth
         if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
           field :last_sign_in_at, type: Time
           field :last_sign_in_ip, type: String
+          field :last_request_at, type: Time
+          field :last_request_ip, type: String
         end
       end
     end

data/app/views/rails_jwt_auth/mailer/confirmation_instructions.html.erb

@@ -2,4 +2,4 @@
 
 <p>You can confirm your account email through the link below:</p>
 
-<p><%= link_to 'Confirm my account', @confirmations_url.html_safe %></p>
+<p><%= link_to 'Confirm my account', @confirm_email_url.html_safe %></p>

data/app/views/rails_jwt_auth/mailer/{send_invitation.html.erb → invitation_instructions.html.erb}

@@ -3,4 +3,4 @@
 <p>Someone has sent you an invitation to App.</p>
 <p>To complete registration setting a password, please click the following link.</p>
 
-<p><%= link_to "Accept invitation", @invitations_url.html_safe %></p>
+<p><%= link_to "Accept invitation", @accept_invitation_url.html_safe %></p>

data/app/views/rails_jwt_auth/mailer/password_changed_notification.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @user[RailsJwtAuth.email_field_name] %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/app/views/rails_jwt_auth/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
-<p><%= link_to 'Change my password', @reset_passwords_url.html_safe %></p>
+<p><%= link_to 'Change my password', @reset_password_url.html_safe %></p>
 
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/rails_jwt_auth/mailer/{send_unlock_instructions.html.erb → unlock_instructions.html.erb}

@@ -4,4 +4,4 @@
 
 <p>Click the link below to unlock your account:</p>
 
-<p><%= link_to 'Unlock my account', @unlock_url.html_safe %></p>
+<p><%= link_to 'Unlock my account', @unlock_account_url.html_safe %></p>

data/config/locales/en.yml

@@ -5,11 +5,11 @@ en:
         subject: "Confirmation instructions"
       reset_password_instructions:
         subject: "Reset password instructions"
-      set_password_instructions:
-        subject: "Set password instructions"
-      send_invitation:
+      invitation_instructions:
         subject: "Someone has sent you an invitation!"
-      email_changed:
-        subject: "Email changed"
-      send_unlock_instructions:
+      email_change_requested_notification:
+        subject: "Email change"
+      password_changed_notification:
+        subject: "Password changed"
+      unlock_instructions:
         subject: "Unlock instructions"

data/lib/generators/rails_jwt_auth/install_generator.rb

@@ -8,10 +8,18 @@ class RailsJwtAuth::InstallGenerator < Rails::Generators::Base
   def create_routes
     route "resource :session, controller: 'rails_jwt_auth/sessions', only: [:create, :destroy]"
     route "resource :registration, controller: 'rails_jwt_auth/registrations', only: [:create]"
+    route %q(
+      resource :profile, controller: 'rails_jwt_auth/profiles', only: %i[show update] do
+        collection do
+          put :email
+          put :password
+        end
+      end
+    )
 
     route "resources :confirmations, controller: 'rails_jwt_auth/confirmations', only: [:create, :update]"
-    route "resources :passwords, controller: 'rails_jwt_auth/passwords', only: [:create, :update]"
-    route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:create, :update]"
-    route "resources :unlocks, controller: 'rails_jwt_auth/unlocks', only: %i[update]"
+    route "resources :reset_passwords, controller: 'rails_jwt_auth/reset_passwords', only: [:show, :create, :update]"
+    route "resources :invitations, controller: 'rails_jwt_auth/invitations', only: [:show, :create, :update]"
+    route "resources :unlock_accounts, controller: 'rails_jwt_auth/unlock_accounts', only: %i[update]"
   end
 end

data/lib/generators/templates/initializer.rb

@@ -1,65 +1,79 @@
 RailsJwtAuth.setup do |config|
   # authentication model class name
-  #config.model_name = 'User'
+  # config.model_name = 'User'
 
   # field name used to authentication with password
-  #config.auth_field_name = 'email'
+  # config.auth_field_name = 'email'
 
   # define email field name used to send emails
-  #config.email_field_name = 'email'
+  # config.email_field_name = 'email'
+
+  # Regex used to validate email input on requests like reset password
+  # config.email_regex = URI::MailTo::EMAIL_REGEXP
+
+  # apply downcase to auth field when save user and when init session
+  # config.downcase_auth_field = false
 
   # expiration time for generated tokens
-  #config.jwt_expiration_time = 7.days
+  # config.jwt_expiration_time = 7.days
 
   # the "iss" (issuer) claim identifies the principal that issued the JWT
-  #config.jwt_issuer = 'RailsJwtAuth'
+  # config.jwt_issuer = 'RailsJwtAuth'
 
   # number of simultaneously sessions for an user
-  #config.simultaneous_sessions = 2
+  # config.simultaneous_sessions = 2
+
+  # mailer class name
+  # config.mailer_name = 'RailsJwtAuth::Mailer'
 
   # mailer sender
-  #config.mailer_sender = 'initialize-mailer_sender@example.com'
+  # config.mailer_sender = 'initialize-mailer_sender@example.com'
+
+  # activate email notification when email is changed
+  # config.send_email_change_requested_notification = true
+
+  # activate email notification when password is changed
+  # config.send_password_changed_notification = true
 
   # expiration time for confirmation tokens
-  #config.confirmation_expiration_time = 1.day
+  # config.confirmation_expiration_time = 1.day
 
   # expiration time for reset password tokens
-  #config.reset_password_expiration_time = 1.day
+  # config.reset_password_expiration_time = 1.day
 
   # time an invitation is valid after sent
   # config.invitation_expiration_time = 2.days
 
-  # url used to create email link with confirmation token
-  #config.confirmations_url = 'http://frontend.com/confirmation'
-
-  # url used to create email link with reset password token
-  #config.reset_passwords_url = 'http://frontend.com/reset_password'
-
-  # url used to create email link with set password token
-  # by set_and_send_password_instructions method
-  #config.set_passwords_url = 'http://frontend.com/set_password'
-
-  # url used to create email link with activation token parameter to accept invitation
-  #config.invitations_url = 'http://frontend.com/accept_invitation'
-
   # uses deliver_later to send emails instead of deliver method
-  #config.deliver_later = false
+  # config.deliver_later = false
 
   # maximum login attempts before locking an account
-  #config.maximum_attempts = 3
+  # config.maximum_attempts = 3
 
   # strategy to lock an account: :none or :failed_attempts
-  #config.lock_strategy = :failed_attempts
+  # config.lock_strategy = :failed_attempts
 
   # strategy to use when unlocking accounts: :time, :email or :both
-  #config.unlock_strategy = :time
+  # config.unlock_strategy = :time
 
   # interval to unlock an account if unlock_strategy is :time
-  #config.unlock_in = 60.minutes
+  # config.unlock_in = 60.minutes
 
   # interval after which to reset failed attempts counter of an account
-  #config.reset_attempts_in = 60.minutes
+  # config.reset_attempts_in = 60.minutes
+  #
+  # url used to create email link with confirmation token
+  # config.confirm_email_url = 'http://frontend.com/confirm-email'
+
+  # url used to create email link with reset password token
+  # config.reset_password_url = 'http://frontend.com/reset-password'
+
+  # url used to create email link with activation token parameter to accept invitation
+  # config.accept_invitation_url = 'http://frontend.com/accept-invitation'
 
   # url used to create email link with unlock token
-  #config.unlock_url = 'http://frontend.com/unlock-account'
+  # config.unlock_account_url = 'http://frontend.com/unlock-account'
+
+  # set false to avoid giving clue about the existing emails with errors
+  # config.avoid_email_errors = true
 end

data/lib/generators/templates/migration.rb

@@ -18,12 +18,13 @@ class Create<%= RailsJwtAuth.model_name.pluralize %> < ActiveRecord::Migration<%
       ## Trackable
       # t.string :last_sign_in_ip
       # t.datetime :last_sign_in_at
+      # t.string :last_request_ip
+      # t.datetime :last_request_at
 
       ## Invitable
       # t.string :invitation_token
       # t.datetime :invitation_sent_at
       # t.datetime :invitation_accepted_at
-      # t.datetime :invitation_created_at
 
       ## Lockable
       # t.integer :failed_attempts

data/lib/rails_jwt_auth/jwt_manager.rb

@@ -8,6 +8,8 @@ module RailsJwtAuth
 
     # Encodes and signs JWT Payload with expiration
     def self.encode(payload)
+      raise InvalidJwtPayload unless payload
+
       payload.reverse_merge!(meta)
       JWT.encode(payload, secret_key_base)
     end
@@ -25,9 +27,5 @@ module RailsJwtAuth
         iss: RailsJwtAuth.jwt_issuer
       }
     end
-
-    def self.decode_from_request(request)
-      decode(request.env['HTTP_AUTHORIZATION']&.split&.last)
-    end
   end
 end