rails_simple_auth 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9da9b2ca95ab7bc4d65390921ab753bfc4181efc88c28ed745bebae4268310a6
+  data.tar.gz: 0bf68d88f90560c275c4f680b5c741cb458badc4a328d1fd24ae8ff854834a87
+SHA512:
+  metadata.gz: 6099797336414bc988d390ced5d6bb73f8def1c1ac57cee123d86c12945c2784b613b3e476c49ac7334de115a5ae53338da0107282cbd9cc6b0e2a4d01d2710d
+  data.tar.gz: 5f676fbf88a8b574cadaa43c96bc52c9e928c966b1d187f31b826c360d1472b160ed473e11582cfa84e232a242275e2ce2fb06714ba9d0a98501734023f94399

data/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.0.0] - 2025-01-18
+
+### Added
+
+- Initial release extracted from [Writero](https://github.com/ivankuznetsov/writero)
+- Session-based authentication with `has_secure_password`
+- Magic link authentication (passwordless login via email)
+- Email confirmation flow for new registrations
+- Password reset flow with secure tokens
+- OAuth support (Google, GitHub) via OmniAuth
+- Rate limiting on authentication endpoints (Rails 8 rate_limit DSL)
+- Configurable callbacks (`after_sign_in_callback`, `after_sign_out_callback`, etc.)
+- Configurable redirect paths (`after_sign_in_path`, `after_sign_out_path`, etc.)
+- Views generator (`rails g rails_simple_auth:views`) for customization
+- CSS generator (`rails g rails_simple_auth:css`) for styling
+- Install generator (`rails g rails_simple_auth:install`) for setup
+- Session management with automatic cleanup of expired sessions
+- Current user tracking via `RailsSimpleAuth::Current`
+- Comprehensive security measures:
+  - Open redirect prevention
+  - Configurable OAuth account linking
+  - Secure signed tokens for password reset and magic links
+  - Session invalidation on password change

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Ivan Kuznetsov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,276 @@
+# RailsSimpleAuth
+
+Simple, secure authentication for Rails 8+ applications. Built on Rails primitives with no magic.
+
+## Features
+
+- **Email/Password authentication** with bcrypt
+- **Magic link** (passwordless) authentication
+- **Email confirmation** with signed tokens
+- **Password reset** with signed tokens
+- **OAuth support** (Google, GitHub, etc.)
+- **Rate limiting** built-in
+- **Session tracking** with IP and user agent
+- **Customizable styling** via CSS variables
+- **No dependencies** beyond Rails and bcrypt
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem "rails_simple_auth"
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+Run the installer:
+
+```bash
+rails generate rails_simple_auth:install
+rails db:migrate
+```
+
+Add concerns to your User model:
+
+```ruby
+class User < ApplicationRecord
+  include RailsSimpleAuth::Models::Concerns::Authenticatable
+  include RailsSimpleAuth::Models::Concerns::Confirmable      # optional
+  include RailsSimpleAuth::Models::Concerns::MagicLinkable    # optional
+  include RailsSimpleAuth::Models::Concerns::OAuthConnectable # optional
+
+  # Your custom fields and validations
+  validates :company_name, presence: true
+end
+```
+
+Protect your routes:
+
+```ruby
+class ApplicationController < ActionController::Base
+  before_action :require_authentication
+end
+```
+
+## User Model Customization
+
+The gem doesn't own your User model—you do. Add any custom fields:
+
+```ruby
+# db/migrate/xxx_create_users.rb
+class CreateUsers < ActiveRecord::Migration[8.0]
+  def change
+    create_table :users do |t|
+      # Required by gem
+      t.string :email_address, null: false
+      t.string :password_digest, null: false
+      t.datetime :confirmed_at  # if using Confirmable
+
+      # Your custom fields
+      t.string :name
+      t.string :company_name
+      t.boolean :admin, default: false
+      t.string :oauth_provider
+      t.string :oauth_uid
+
+      t.timestamps
+    end
+
+    add_index :users, :email_address, unique: true
+  end
+end
+```
+
+## Styling
+
+The gem ships with **no CSS by default** (Option B). Generate base styles:
+
+```bash
+rails generate rails_simple_auth:css
+```
+
+Then customize by overriding CSS variables:
+
+```css
+/* In your application.css */
+:root {
+  --rsa-color-primary: #22c55e;        /* Your brand color */
+  --rsa-color-background-form: #f0fdf4; /* Form background */
+  --rsa-color-text: #166534;           /* Text color */
+}
+```
+
+Or edit `rails_simple_auth.css` directly for complete control.
+
+### CSS Variables Reference
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `--rsa-color-primary` | `#3b82f6` | Primary button/link color |
+| `--rsa-color-primary-hover` | `#2563eb` | Primary hover state |
+| `--rsa-color-background-form` | `#ffffff` | Form container background |
+| `--rsa-color-text` | `#374151` | Main text color |
+| `--rsa-color-text-muted` | `#6b7280` | Secondary text color |
+| `--rsa-color-border` | `#e5e7eb` | Border color |
+| `--rsa-color-danger` | `#dc2626` | Error message color |
+
+## View Customization
+
+Copy views for full customization:
+
+```bash
+rails generate rails_simple_auth:views
+
+# Or specific views only
+rails generate rails_simple_auth:views --only sessions passwords
+```
+
+Views use BEM naming: `.rsa-auth-form`, `.rsa-auth-form__input`, etc.
+
+## Configuration
+
+```ruby
+# config/initializers/rails_simple_auth.rb
+RailsSimpleAuth.configure do |config|
+  # Features
+  config.magic_link_enabled = true
+  config.email_confirmation_enabled = true
+  config.enable_oauth(:google, :github)
+
+  # Token expiration
+  config.magic_link_expiry = 15.minutes
+  config.password_reset_expiry = 15.minutes
+  config.confirmation_expiry = 24.hours
+
+  # Paths (symbol, string, or proc)
+  config.after_sign_in_path = :dashboard_path
+  config.after_sign_out_path = -> { new_session_path }
+
+  # Layout
+  config.layout = "auth"  # Use a custom layout
+
+  # Mailer
+  config.mailer_sender = "auth@myapp.com"
+
+  # Password requirements
+  config.password_minimum_length = 12
+
+  # Callbacks
+  config.after_sign_in_callback = ->(user, controller) {
+    Analytics.track("sign_in", user_id: user.id)
+  }
+end
+```
+
+## OAuth Setup
+
+1. Enable providers:
+
+```ruby
+RailsSimpleAuth.configure do |config|
+  config.enable_oauth(:google, :github)
+end
+```
+
+2. Configure OmniAuth:
+
+```ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"]
+  provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"]
+end
+```
+
+3. Optionally map OAuth fields:
+
+```ruby
+class User < ApplicationRecord
+  include RailsSimpleAuth::Models::Concerns::OAuthConnectable
+
+  def assign_oauth_attributes(auth_hash)
+    self.name = auth_hash.dig("info", "name")
+    self.avatar_url = auth_hash.dig("info", "image")
+    self.oauth_provider = auth_hash["provider"]
+    self.oauth_uid = auth_hash["uid"]
+  end
+end
+```
+
+## Controller Customization
+
+Subclass controllers for custom behavior:
+
+```ruby
+# app/controllers/sessions_controller.rb
+class SessionsController < RailsSimpleAuth::SessionsController
+  def after_sign_in(user)
+    track_login(user)
+    super
+  end
+end
+```
+
+Update routes to use your controller:
+
+```ruby
+rails_simple_auth_routes(sessions_controller: "sessions")
+```
+
+## Helpers
+
+Available in controllers and views:
+
+```ruby
+current_user          # The signed-in user (or nil)
+user_signed_in?       # Boolean
+require_authentication # Redirects if not signed in
+```
+
+Access anywhere via:
+
+```ruby
+RailsSimpleAuth::Current.user
+```
+
+## Routes
+
+The gem adds these routes:
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/session/new` | Sign in form |
+| POST | `/session` | Create session |
+| DELETE | `/session` | Sign out |
+| GET | `/sign_up` | Sign up form |
+| POST | `/sign_up` | Create account |
+| GET | `/passwords/new` | Password reset form |
+| POST | `/passwords` | Send reset email |
+| GET | `/passwords/:token/edit` | New password form |
+| PATCH | `/passwords/:token` | Update password |
+| GET | `/confirmations/new` | Resend confirmation |
+| POST | `/confirmations` | Send confirmation |
+| GET | `/confirmations/:token` | Confirm email |
+| GET | `/magic_link_form` | Magic link form |
+| POST | `/request_magic_link` | Send magic link |
+| GET | `/magic_link` | Login via magic link |
+
+## Security Features
+
+- **BCrypt password hashing** with salts
+- **Constant-time comparison** prevents timing attacks
+- **Signed tokens** for all email links
+- **Rate limiting** on all auth endpoints
+- **HttpOnly cookies** for session tokens
+- **SameSite=Lax** CSRF protection
+- **Session invalidation** on password change
+- **IP and user agent tracking** for audit
+
+## License
+
+MIT License

data/app/controllers/rails_simple_auth/base_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class BaseController < ::ApplicationController
+    include RailsSimpleAuth::Controllers::Concerns::Authentication
+    include RailsSimpleAuth::Controllers::Concerns::SessionManagement
+
+    layout -> { RailsSimpleAuth.configuration.layout }
+
+    private
+
+    def user_class
+      RailsSimpleAuth.configuration.user_class
+    end
+  end
+end

data/app/controllers/rails_simple_auth/confirmations_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class ConfirmationsController < BaseController
+    skip_before_action :require_authentication, only: %i[new create show], raise: false
+
+    unless Rails.env.local?
+      rate_limit to: 3, within: 1.hour, by: -> { client_ip }, only: :create,
+                 with: -> { redirect_to new_confirmation_path, alert: "Too many confirmation requests. Please try again later." }
+    end
+
+    def new
+    end
+
+    def create
+      user = user_class.find_by_email(params[:email_address])
+
+      if user && user.respond_to?(:unconfirmed?) && user.unconfirmed?
+        token = user.generate_confirmation_token
+        RailsSimpleAuth.configuration.mailer.confirmation(user, token).deliver_later
+      end
+
+      redirect_to new_session_path, notice: "If an unconfirmed account exists with that email, confirmation instructions have been sent."
+    end
+
+    def show
+      user = user_class.find_signed(params[:token], purpose: :email_confirmation)
+
+      if user
+        user.confirm! if user.respond_to?(:confirm!)
+        run_after_confirmation_callback(user)
+        redirect_to resolve_path(:after_confirmation_path), notice: "Email confirmed! You can now sign in."
+      else
+        redirect_to new_confirmation_path, alert: "Invalid or expired confirmation link."
+      end
+    end
+
+    private
+
+    def run_after_confirmation_callback(user)
+      callback = RailsSimpleAuth.configuration.after_confirmation_callback
+      callback&.call(user, self)
+    end
+  end
+end

data/app/controllers/rails_simple_auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class OmniauthCallbacksController < BaseController
+    skip_before_action :require_authentication, raise: false
+    skip_before_action :verify_authenticity_token, only: :create
+
+    def create
+      auth_hash = request.env["omniauth.auth"]
+      provider = params[:provider]
+
+      unless RailsSimpleAuth.configuration.oauth_provider_enabled?(provider)
+        redirect_to new_session_path, alert: "OAuth provider not enabled."
+        return
+      end
+
+      user = user_class.from_oauth(auth_hash)
+
+      if user&.persisted?
+        create_session_for(user)
+        run_after_sign_in_callback(user)
+        redirect_to resolve_path(:after_sign_in_path), notice: "Signed in successfully with #{provider.to_s.capitalize}."
+      else
+        redirect_to new_session_path, alert: "Could not authenticate with #{provider.to_s.capitalize}."
+      end
+    end
+
+    def failure
+      redirect_to new_session_path, alert: "Authentication failed. Please try again."
+    end
+  end
+end

data/app/controllers/rails_simple_auth/passwords_controller.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class PasswordsController < BaseController
+    skip_before_action :require_authentication, only: %i[new create edit update], raise: false
+    before_action :set_user_from_token, only: %i[edit update]
+
+    unless Rails.env.local?
+      rate_limit to: 3, within: 1.hour, by: -> { client_ip }, only: :create,
+                 with: -> { redirect_to new_password_path, alert: "Too many password reset requests. Please try again later." }
+    end
+
+    def new
+    end
+
+    def create
+      user = user_class.find_by_email(params[:email_address])
+
+      if user && can_reset_password?(user)
+        token = user.generate_password_reset_token
+        RailsSimpleAuth.configuration.mailer.password_reset(user, token).deliver_later
+      end
+
+      redirect_to new_session_path, notice: "If an account exists with that email, password reset instructions have been sent."
+    end
+
+    def edit
+    end
+
+    def update
+      ActiveRecord::Base.transaction do
+        if @user.update(password_params)
+          @user.invalidate_all_sessions!
+          redirect_to new_session_path, notice: "Password has been reset. Please sign in with your new password."
+        else
+          render :edit, status: :unprocessable_content
+          raise ActiveRecord::Rollback
+        end
+      end
+    rescue ActiveRecord::StatementInvalid => e
+      Rails.logger.error(
+        "[RailsSimpleAuth] Session invalidation failed after password reset for user #{@user.id}: #{e.message}"
+      )
+      # Password was rolled back due to transaction, redirect with error
+      redirect_to new_password_path, alert: "Password reset failed. Please try again."
+    end
+
+    private
+
+    def set_user_from_token
+      @user = user_class.find_signed(params[:token], purpose: :password_reset)
+      redirect_to new_password_path, alert: "Invalid or expired password reset link." unless @user
+    end
+
+    def can_reset_password?(user)
+      return true unless RailsSimpleAuth.configuration.email_confirmation_enabled
+      return true unless user.respond_to?(:confirmed?)
+
+      user.confirmed?
+    end
+
+    def password_params
+      params.require(:user).permit(:password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/rails_simple_auth/registrations_controller.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class RegistrationsController < BaseController
+    skip_before_action :require_authentication, only: %i[new create], raise: false
+
+    unless Rails.env.local?
+      rate_limit to: 5, within: 1.hour, by: -> { client_ip }, only: :create,
+                 with: -> { redirect_to sign_up_path, alert: "Too many sign up attempts. Please try again later." }
+    end
+
+    def new
+      redirect_to resolve_path(:after_sign_in_path) if user_signed_in?
+      @user = user_class.new
+    end
+
+    def create
+      @user = user_class.new(registration_params)
+
+      if @user.save
+        after_successful_registration
+      else
+        render :new, status: :unprocessable_content
+      end
+    end
+
+    private
+
+    def registration_params
+      params.require(:user).permit(:email_address, :password)
+    end
+
+    def after_successful_registration
+      if RailsSimpleAuth.configuration.email_confirmation_enabled
+        send_confirmation_email(@user)
+        run_after_sign_up_callback(@user)
+        redirect_to new_session_path, notice: "Account created! Please check your email to confirm your account."
+      else
+        create_session_for(@user)
+        run_after_sign_up_callback(@user)
+        redirect_to resolve_path(:after_sign_up_path), notice: "Account created successfully!"
+      end
+    end
+
+    def send_confirmation_email(user)
+      return unless user.respond_to?(:generate_confirmation_token)
+
+      token = user.generate_confirmation_token
+      RailsSimpleAuth.configuration.mailer.confirmation(user, token).deliver_later
+    end
+  end
+end

data/app/controllers/rails_simple_auth/sessions_controller.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class SessionsController < BaseController
+    skip_before_action :require_authentication,
+                       only: %i[new create magic_link_form request_magic_link magic_link_login],
+                       raise: false
+
+    unless Rails.env.local?
+      rate_limit to: 5, within: 15.minutes, by: -> { client_ip }, only: :create,
+                 with: -> { redirect_to new_session_path, alert: "Too many login attempts. Please try again later." }
+
+      rate_limit to: 3, within: 10.minutes, by: -> { params[:email_address].to_s.downcase }, only: :request_magic_link,
+                 with: -> { redirect_to new_session_path, alert: "Too many magic link requests. Please try again later." }
+
+      rate_limit to: 5, within: 15.minutes, by: -> { client_ip }, only: :magic_link_login,
+                 with: -> { redirect_to new_session_path, alert: "Too many magic link attempts. Please try again later." }
+    end
+
+    def new
+      redirect_to resolve_path(:after_sign_in_path) if user_signed_in?
+    end
+
+    def create
+      user = user_class.find_by_email(params[:email_address]) || user_class.new(password: SecureRandom.hex(32))
+
+      if user.authenticate(params[:password]) && user.persisted?
+        if confirmation_required_for?(user)
+          @error_message = "Please confirm your email before signing in."
+          @previous_email = params[:email_address]
+          render :new, status: :unprocessable_content
+        else
+          sign_in_and_redirect(user)
+        end
+      else
+        Rails.logger.warn("Failed login attempt for email: #{params[:email_address]} from IP: #{client_ip}")
+        @error_message = "Invalid email or password"
+        @previous_email = params[:email_address]
+        render :new, status: :unprocessable_content
+      end
+    end
+
+    def destroy
+      user = current_user
+      destroy_current_session
+      run_after_sign_out_callback(user) if user
+      redirect_to resolve_path(:after_sign_out_path), notice: "Signed out successfully."
+    end
+
+    def magic_link_form
+      redirect_to resolve_path(:after_sign_in_path) if user_signed_in?
+    end
+
+    def request_magic_link
+      user = user_class.find_by_email(params[:email_address])
+
+      if user && user.respond_to?(:generate_magic_link_token)
+        token = user.generate_magic_link_token
+        RailsSimpleAuth.configuration.mailer.magic_link(user, token).deliver_later
+      end
+
+      redirect_to new_session_path, notice: "If an account exists with that email, a magic link has been sent."
+    end
+
+    def magic_link_login
+      user = user_class.find_signed(params[:token], purpose: :magic_link)
+
+      if user
+        user.confirm! if user.respond_to?(:confirm!) && user.respond_to?(:unconfirmed?) && user.unconfirmed?
+        sign_in_and_redirect(user)
+      else
+        redirect_to new_session_path, alert: "Invalid or expired magic link."
+      end
+    end
+
+    private
+
+    def confirmation_required_for?(user)
+      RailsSimpleAuth.configuration.email_confirmation_enabled &&
+        user.respond_to?(:unconfirmed?) &&
+        user.unconfirmed?
+    end
+
+    def sign_in_and_redirect(user)
+      create_session_for(user)
+      run_after_sign_in_callback(user)
+      redirect_to stored_location_or_default, notice: "Signed in successfully."
+    end
+  end
+end

data/app/mailers/rails_simple_auth/auth_mailer.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  class AuthMailer < ActionMailer::Base
+    default from: -> { RailsSimpleAuth.configuration.mailer_sender }
+
+    def confirmation(user, token)
+      @user = user
+      @token = token
+      @confirmation_url = main_app.confirmation_url(token: token)
+
+      mail(
+        to: user.email_address,
+        subject: "Confirm your email"
+      )
+    end
+
+    def magic_link(user, token)
+      @user = user
+      @token = token
+      @magic_link_url = main_app.magic_link_url(token: token)
+
+      mail(
+        to: user.email_address,
+        subject: "Sign in to your account"
+      )
+    end
+
+    def password_reset(user, token)
+      @user = user
+      @token = token
+      @password_reset_url = main_app.edit_password_url(token: token)
+
+      mail(
+        to: user.email_address,
+        subject: "Reset your password"
+      )
+    end
+
+    private
+
+    def main_app
+      Rails.application.routes.url_helpers
+    end
+  end
+end