rails_simple_auth 1.0.0 → 1.0.2

data/lib/rails_simple_auth/controllers/concerns/authentication.rb

@@ -17,9 +17,9 @@ module RailsSimpleAuth
           return unless (session_token = cookies.signed.permanent[:session_token])
 
           session_record = RailsSimpleAuth.configuration.session_class
-                             .includes(:user)
-                             .active
-                             .find_by(id: session_token)
+                                          .includes(:user)
+                                          .active
+                                          .find_by(id: session_token)
 
           if session_record
             RailsSimpleAuth::Current.user = session_record.user
@@ -51,8 +51,8 @@ module RailsSimpleAuth
 
           # SECURITY: Validate path to prevent open redirect attacks
           # Only store relative paths that start with / but not //
-          return unless path.start_with?("/")
-          return if path.start_with?("//")
+          return unless path.start_with?('/')
+          return if path.start_with?('//')
 
           session[:return_to] = path
         end
@@ -63,34 +63,33 @@ module RailsSimpleAuth
 
         def redirect_to_sign_in
           respond_to do |format|
-            format.html { redirect_to new_session_path, alert: "Please sign in to continue." }
-            format.json { render json: { error: "Authentication required" }, status: :unauthorized }
-            format.turbo_stream { redirect_to new_session_path, alert: "Please sign in to continue." }
+            format.html { redirect_to new_session_path, alert: 'Please sign in to continue.' }
+            format.json { render json: { error: 'Authentication required' }, status: :unauthorized }
+            format.turbo_stream { redirect_to new_session_path, alert: 'Please sign in to continue.' }
           end
         end
 
         def client_ip
-          request.headers["CF-Connecting-IP"] ||
-            request.headers["X-Forwarded-For"]&.split(",")&.first&.strip ||
+          request.headers['CF-Connecting-IP'] ||
+            request.headers['X-Forwarded-For']&.split(',')&.first&.strip ||
             request.remote_ip
         end
 
         def resolve_path(config_key)
           path_config = RailsSimpleAuth.configuration.public_send(config_key)
 
-          result = case path_config
+          case path_config
           when Symbol then send(path_config)
           when Proc then path_config.call(self)
           when String then path_config
           else
-                     Rails.logger.warn(
-                       "[RailsSimpleAuth] Invalid path configuration for #{config_key}: " \
-                       "expected Symbol, Proc, or String, got #{path_config.class.name}. " \
-                       "Falling back to root_path."
-                     )
-                     root_path
+            Rails.logger.warn(
+              "[RailsSimpleAuth] Invalid path configuration for #{config_key}: " \
+              "expected Symbol, Proc, or String, got #{path_config.class.name}. " \
+              'Falling back to root_path.'
+            )
+            root_path
           end
-          result
         rescue NoMethodError => e
           Rails.logger.error(
             "[RailsSimpleAuth] Path helper '#{path_config}' not found for #{config_key}. " \

data/lib/rails_simple_auth/controllers/concerns/session_management.rb

@@ -39,6 +39,30 @@ module RailsSimpleAuth
           RailsSimpleAuth::Current.session = nil
         end
 
+        # Destroy temporary user session when signing in with a different account
+        # This cleans up guest/demo users when they sign in or register
+        # @param signing_in_user [User, nil] The user being signed in (to avoid self-destruction)
+        def destroy_temporary_user_session(signing_in_user = nil)
+          return unless RailsSimpleAuth.configuration.temporary_users_enabled
+          return unless RailsSimpleAuth::Current.user&.temporary?
+
+          temp_user = RailsSimpleAuth::Current.user
+
+          # Don't destroy if the user is re-authenticating as themselves
+          return if signing_in_user && temp_user.id == signing_in_user.id
+
+          temp_user_id = temp_user.id
+
+          temp_user.transaction do
+            destroy_current_session
+            temp_user.destroy!
+          end
+
+          Rails.logger.info("[RailsSimpleAuth] Destroyed temporary user #{temp_user_id} on sign in")
+        rescue ActiveRecord::RecordNotDestroyed => e
+          Rails.logger.error("[RailsSimpleAuth] Failed to destroy temporary user #{temp_user_id}: #{e.message}")
+        end
+
         # Run after sign in callback if configured
         def run_after_sign_in_callback(user)
           run_callback(:after_sign_in_callback, user)

data/lib/rails_simple_auth/engine.rb

@@ -8,7 +8,7 @@ module RailsSimpleAuth
       g.test_framework :minitest
     end
 
-    initializer "rails_simple_auth.helpers" do
+    initializer 'rails_simple_auth.helpers' do
       ActiveSupport.on_load(:action_controller_base) do
         include RailsSimpleAuth::Controllers::Concerns::Authentication
         include RailsSimpleAuth::Controllers::Concerns::SessionManagement

data/lib/rails_simple_auth/models/concerns/authenticatable.rb

@@ -10,25 +10,26 @@ module RailsSimpleAuth
           has_secure_password
 
           has_many :sessions,
-                   class_name: "RailsSimpleAuth::Session",
+                   class_name: RailsSimpleAuth.configuration.session_class_name,
                    dependent: :destroy,
                    inverse_of: :user
 
-          validates :email_address,
+          validates :email,
                     presence: true,
                     uniqueness: { case_sensitive: false },
-                    format: { with: URI::MailTo::EMAIL_REGEXP }
+                    format: { with: URI::MailTo::EMAIL_REGEXP },
+                    unless: :temporary?
 
           validate :password_meets_minimum_length, if: :password_required?
 
-          normalizes :email_address, with: ->(email) { email.strip.downcase }
+          normalizes :email, with: ->(email) { email.strip.downcase }
         end
 
         class_methods do
           def find_by_email(email)
             return nil if email.blank?
 
-            find_by(email_address: email.to_s.strip.downcase)
+            find_by(email: email.to_s.strip.downcase)
           end
         end
 
@@ -47,9 +48,16 @@ module RailsSimpleAuth
           count
         end
 
+        # Returns false by default. Override in TemporaryUser concern.
+        def temporary?
+          false
+        end
+
         private
 
         def password_required?
+          return false if temporary?
+
           password_digest.blank? || password.present?
         end
 

data/lib/rails_simple_auth/models/concerns/confirmable.rb

@@ -8,6 +8,7 @@ module RailsSimpleAuth
 
         included do
           # Requires `confirmed_at` datetime column
+          # Optional `unconfirmed_email` string column for reconfirmation
           scope :confirmed, -> { where.not(confirmed_at: nil) }
           scope :unconfirmed, -> { where(confirmed_at: nil) }
         end
@@ -22,17 +23,51 @@ module RailsSimpleAuth
           !confirmed?
         end
 
+        # Check if user is changing their email (reconfirmation)
+        def reconfirming?
+          respond_to?(:unconfirmed_email) && unconfirmed_email.present?
+        end
+
+        # Check if user needs confirmation (either unconfirmed or reconfirming)
+        def unconfirmed_or_reconfirming?
+          unconfirmed? || reconfirming?
+        end
+
+        # Get the email that needs confirmation
+        def confirmable_email
+          reconfirming? ? unconfirmed_email : email
+        end
+
         # Confirm the user's email
+        # Handles both initial confirmation and reconfirmation (email change)
+        # Also sets temporary: false if TemporaryUser concern is included
+        # Returns true on success, false on failure (with errors populated)
         def confirm!
-          return true if confirmed?
+          attrs = { confirmed_at: Time.current }
+          attrs[:temporary] = false if respond_to?(:temporary?)
 
-          update!(confirmed_at: Time.current)
+          if reconfirming?
+            # Email change confirmation - check email uniqueness first
+            if self.class.where.not(id: id).exists?(email: unconfirmed_email)
+              errors.add(:email, 'is already taken by another user')
+              return false
+            end
+            attrs[:email] = unconfirmed_email
+            attrs[:unconfirmed_email] = nil
+            update(attrs)
+          elsif unconfirmed?
+            # Initial confirmation
+            update(attrs)
+          else
+            # Already confirmed and not reconfirming
+            true
+          end
         end
 
         # Generate email confirmation token using Rails signed_id
         def generate_confirmation_token
           signed_id(
-            purpose: :email_confirmation,
+            purpose: :confirm_email,
             expires_in: RailsSimpleAuth.configuration.confirmation_expiry
           )
         end

data/lib/rails_simple_auth/models/concerns/oauth_connectable.rb

@@ -18,13 +18,13 @@ module RailsSimpleAuth
           # - true (default): Links OAuth to existing email accounts (safe for providers that verify emails)
           # - false: Only allows OAuth for accounts created via OAuth with same provider+uid
           def from_oauth(auth_hash)
-            email = auth_hash.dig("info", "email")
-            provider = auth_hash["provider"]
-            uid = auth_hash["uid"]
+            email = auth_hash.dig('info', 'email')
+            provider = auth_hash['provider']
+            uid = auth_hash['uid']
 
             if email.blank?
               Rails.logger.warn(
-                "[RailsSimpleAuth] OAuth auth_hash missing email. " \
+                '[RailsSimpleAuth] OAuth auth_hash missing email. ' \
                 "Provider: #{provider}, UID: #{uid}. Ensure email scope is requested."
               )
               return nil
@@ -62,7 +62,7 @@ module RailsSimpleAuth
 
             # Create new user for new OAuth signups
             user = new(
-              email_address: email,
+              email: email,
               password: SecureRandom.hex(32) # Random password for OAuth users
             )
 

data/lib/rails_simple_auth/models/concerns/temporary_user.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  module Models
+    module Concerns
+      module TemporaryUser
+        extend ActiveSupport::Concern
+
+        included do
+          scope :temporary, -> { where(temporary: true) }
+          scope :permanent, -> { where(temporary: false) }
+          scope :temporary_expired, lambda { |days = nil|
+            cleanup_days = days || RailsSimpleAuth.configuration.temporary_user_cleanup_days
+            raise ConfigurationError, 'temporary_user_cleanup_days must be configured' unless cleanup_days&.positive?
+
+            temporary.where(created_at: ...cleanup_days.days.ago)
+          }
+        end
+
+        def temporary?
+          temporary == true
+        end
+
+        def permanent?
+          !temporary?
+        end
+
+        # Convert a temporary user to a permanent user with email and password
+        # Returns self on success, false on failure (with errors populated)
+        def convert_to_permanent!(email:, password:)
+          # Validate email uniqueness upfront (better UX than failing inside transaction)
+          if self.class.where.not(id: id).exists?(email: email)
+            errors.add(:email, 'has already been taken')
+            return false
+          end
+
+          transaction do
+            # Reload to discard any unpersisted changes from callbacks before locking
+            reload
+            lock!
+
+            unless temporary?
+              errors.add(:base, 'User is already permanent')
+              raise ActiveRecord::Rollback
+            end
+
+            attrs = {
+              email: email,
+              password: password,
+              temporary: false
+            }
+            # Reset confirmation so new email requires verification
+            attrs[:confirmed_at] = nil if respond_to?(:confirmed_at)
+
+            raise ActiveRecord::Rollback unless update(attrs)
+          end
+
+          # Check if transaction was rolled back
+          return false if errors.any? || temporary?
+
+          invalidate_all_sessions!
+          send_conversion_confirmation_email
+          Rails.logger.info("[RailsSimpleAuth] Converted temporary user #{id} to permanent")
+          self
+        rescue ActiveRecord::RecordNotUnique
+          errors.add(:email, 'has already been taken')
+          false
+        end
+
+        class_methods do
+          # Cleanup expired temporary users in batches
+          # @param days [Integer, nil] Override for cleanup_days config
+          # @param batch_size [Integer] Number of users to process per batch
+          # @return [Integer] Number of users destroyed
+          def cleanup_expired_temporary!(days: nil, batch_size: 100)
+            count = 0
+            temporary_expired(days).find_each(batch_size: batch_size) do |user|
+              user.destroy
+              count += 1
+            end
+            Rails.logger.info("[RailsSimpleAuth] Cleaned up #{count} expired temporary users")
+            count
+          end
+        end
+
+        private
+
+        def send_conversion_confirmation_email
+          return unless RailsSimpleAuth.configuration.email_confirmation_enabled
+          return unless respond_to?(:generate_confirmation_token)
+
+          token = generate_confirmation_token
+          RailsSimpleAuth.configuration.mailer.confirmation(self, token).deliver_later
+
+          Rails.logger.info("[RailsSimpleAuth] Queued confirmation email for converted user #{id}")
+        rescue ArgumentError, NoMethodError, RailsSimpleAuth::ConfigurationError => e
+          # Configuration or method errors - log but don't fail conversion
+          Rails.logger.error(
+            "[RailsSimpleAuth] Failed to send confirmation email for user #{id}: #{e.class}: #{e.message}"
+          )
+        end
+      end
+    end
+  end
+end

data/lib/rails_simple_auth/models/session.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
 module RailsSimpleAuth
-  class Session < ActiveRecord::Base
-    self.table_name = "sessions"
+  class Session < ::ApplicationRecord
+    self.table_name = 'sessions'
 
     # Use lambda to defer class resolution until runtime
     belongs_to :user, class_name: -> { RailsSimpleAuth.configuration.user_class_name }
 
-    validates :user_id, presence: true
-
     scope :recent, -> { order(created_at: :desc) }
     scope :active, -> { where(created_at: RailsSimpleAuth.configuration.session_expiry.ago..) }
     scope :expired, -> { where(created_at: ...RailsSimpleAuth.configuration.session_expiry.ago) }

data/lib/rails_simple_auth/routes.rb

@@ -4,11 +4,11 @@ module RailsSimpleAuth
   module Routes
     def rails_simple_auth_routes(options = {})
       controllers = {
-        sessions: options.fetch(:sessions_controller, "rails_simple_auth/sessions"),
-        registrations: options.fetch(:registrations_controller, "rails_simple_auth/registrations"),
-        passwords: options.fetch(:passwords_controller, "rails_simple_auth/passwords"),
-        confirmations: options.fetch(:confirmations_controller, "rails_simple_auth/confirmations"),
-        omniauth: options.fetch(:omniauth_controller, "rails_simple_auth/omniauth_callbacks")
+        sessions: options.fetch(:sessions_controller, 'rails_simple_auth/sessions'),
+        registrations: options.fetch(:registrations_controller, 'rails_simple_auth/registrations'),
+        passwords: options.fetch(:passwords_controller, 'rails_simple_auth/passwords'),
+        confirmations: options.fetch(:confirmations_controller, 'rails_simple_auth/confirmations'),
+        omniauth: options.fetch(:omniauth_controller, 'rails_simple_auth/omniauth_callbacks')
       }
 
       config = RailsSimpleAuth.configuration
@@ -16,29 +16,29 @@ module RailsSimpleAuth
       # Core authentication routes (always registered)
       resource :session, only: %i[new create destroy], controller: controllers[:sessions]
 
-      get "sign_up", to: "#{controllers[:registrations]}#new", as: :sign_up
-      post "sign_up", to: "#{controllers[:registrations]}#create"
+      get 'sign_up', to: "#{controllers[:registrations]}#new", as: :sign_up
+      post 'sign_up', to: "#{controllers[:registrations]}#create"
 
       resources :passwords, param: :token, only: %i[new create edit update], controller: controllers[:passwords]
 
       # Email confirmation routes (only when enabled)
       if config.email_confirmation_enabled
         resources :confirmations, only: %i[new create], controller: controllers[:confirmations]
-        get "confirmations/:token", to: "#{controllers[:confirmations]}#show", as: :confirmation
+        get 'confirmations/:token', to: "#{controllers[:confirmations]}#show", as: :confirmation
       end
 
       # Magic link routes (only when enabled)
       if config.magic_link_enabled
-        get "magic_link_form", to: "#{controllers[:sessions]}#magic_link_form", as: :magic_link_form
-        post "request_magic_link", to: "#{controllers[:sessions]}#request_magic_link", as: :request_magic_link
-        get "magic_link", to: "#{controllers[:sessions]}#magic_link_login", as: :magic_link
+        get 'magic_link_form', to: "#{controllers[:sessions]}#magic_link_form", as: :magic_link_form
+        post 'request_magic_link', to: "#{controllers[:sessions]}#request_magic_link", as: :request_magic_link
+        get 'magic_link', to: "#{controllers[:sessions]}#magic_link_login", as: :magic_link
       end
 
       # OAuth routes (only when enabled)
-      if config.oauth_enabled
-        get "/auth/:provider/callback", to: "#{controllers[:omniauth]}#create", as: :omniauth_callback
-        get "/auth/failure", to: "#{controllers[:omniauth]}#failure", as: :omniauth_failure
-      end
+      return unless config.oauth_enabled
+
+      get '/auth/:provider/callback', to: "#{controllers[:omniauth]}#create", as: :omniauth_callback
+      get '/auth/failure', to: "#{controllers[:omniauth]}#failure", as: :omniauth_failure
     end
   end
 end

data/lib/rails_simple_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsSimpleAuth
-  VERSION = "1.0.0"
+  VERSION = '1.0.2'
 end

data/lib/rails_simple_auth.rb

@@ -1,23 +1,25 @@
 # frozen_string_literal: true
 
-require "rails_simple_auth/version"
-require "rails_simple_auth/configuration"
-require "rails_simple_auth/engine"
+require 'rails_simple_auth/version'
+require 'rails_simple_auth/configuration'
+require 'rails_simple_auth/engine'
 
 # Model concerns
-require "rails_simple_auth/models/concerns/authenticatable"
-require "rails_simple_auth/models/concerns/confirmable"
-require "rails_simple_auth/models/concerns/magic_linkable"
-require "rails_simple_auth/models/concerns/oauth_connectable"
-require "rails_simple_auth/models/current"
-require "rails_simple_auth/models/session"
+require 'rails_simple_auth/models/concerns/authenticatable'
+require 'rails_simple_auth/models/concerns/confirmable'
+require 'rails_simple_auth/models/concerns/magic_linkable'
+require 'rails_simple_auth/models/concerns/oauth_connectable'
+require 'rails_simple_auth/models/concerns/temporary_user'
+require 'rails_simple_auth/models/current'
+# Session is NOT required here - it depends on ApplicationRecord which isn't available at gem load time
+# It will be autoloaded by the engine when Rails is ready
 
 # Controller concerns
-require "rails_simple_auth/controllers/concerns/authentication"
-require "rails_simple_auth/controllers/concerns/session_management"
+require 'rails_simple_auth/controllers/concerns/authentication'
+require 'rails_simple_auth/controllers/concerns/session_management'
 
 # Routes
-require "rails_simple_auth/routes"
+require 'rails_simple_auth/routes'
 
 module RailsSimpleAuth
   class Error < StandardError; end

metadata

@@ -1,43 +1,42 @@
 --- !ruby/object:Gem::Specification
 name: rails_simple_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.2
 platform: ruby
 authors:
 - Ivan Kuznetsov
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-18 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '3.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
-  name: bcrypt
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '8.0'
 description: 'A lightweight authentication gem built on Rails primitives: has_secure_password,
   signed cookies, rate limiting. Supports email/password, magic links, email confirmation,
   and OAuth.'
@@ -50,6 +49,7 @@ files:
 - CHANGELOG.md
 - MIT-LICENSE
 - README.md
+- app/assets/stylesheets/rails_simple_auth/application.css
 - app/controllers/rails_simple_auth/base_controller.rb
 - app/controllers/rails_simple_auth/confirmations_controller.rb
 - app/controllers/rails_simple_auth/omniauth_callbacks_controller.rb
@@ -57,6 +57,7 @@ files:
 - app/controllers/rails_simple_auth/registrations_controller.rb
 - app/controllers/rails_simple_auth/sessions_controller.rb
 - app/mailers/rails_simple_auth/auth_mailer.rb
+- app/views/layouts/rails_simple_auth.html.erb
 - app/views/rails_simple_auth/confirmations/new.html.erb
 - app/views/rails_simple_auth/mailers/confirmation.html.erb
 - app/views/rails_simple_auth/mailers/magic_link.html.erb
@@ -71,6 +72,9 @@ files:
 - lib/generators/rails_simple_auth/install/install_generator.rb
 - lib/generators/rails_simple_auth/install/templates/initializer.rb
 - lib/generators/rails_simple_auth/install/templates/migration.rb
+- lib/generators/rails_simple_auth/temporary_users/USAGE
+- lib/generators/rails_simple_auth/temporary_users/templates/add_temporary_to_users.rb.erb
+- lib/generators/rails_simple_auth/temporary_users/temporary_users_generator.rb
 - lib/generators/rails_simple_auth/views/views_generator.rb
 - lib/rails_simple_auth.rb
 - lib/rails_simple_auth/configuration.rb
@@ -81,6 +85,7 @@ files:
 - lib/rails_simple_auth/models/concerns/confirmable.rb
 - lib/rails_simple_auth/models/concerns/magic_linkable.rb
 - lib/rails_simple_auth/models/concerns/oauth_connectable.rb
+- lib/rails_simple_auth/models/concerns/temporary_user.rb
 - lib/rails_simple_auth/models/current.rb
 - lib/rails_simple_auth/models/session.rb
 - lib/rails_simple_auth/routes.rb
@@ -95,7 +100,6 @@ metadata:
   bug_tracker_uri: https://github.com/ivankuznetsov/rails_simple_auth/issues
   documentation_uri: https://github.com/ivankuznetsov/rails_simple_auth#readme
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -110,8 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Simple, secure authentication for Rails 8+ applications
 test_files: []