rails_simple_auth 1.0.3 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5fb876e2f8ec9c1f40ed2dbb8d97fdd984e7e5927e11c56be6a2ac4b2aa593a4
-  data.tar.gz: 29a914c7c8f77a85199d6f7188ce77ab24460554ca90421b22b38646f15464f5
+  metadata.gz: 83fb50e708c25bcd5a7115ae8e0935e9921909580aef97ca6ec585100e410e37
+  data.tar.gz: 1b7a3bcef439ad6c38155404562167e487144aeeb292ea4fa9436c5252ad1e9c
 SHA512:
-  metadata.gz: 8a7d0926e4e1e3a8c7da6ec9ab4de80768ae98a1316a32b6d9bf6aa790f266fc494598344b9a47444bfac1241ab55ea6d11c4c89a56bb2d270cff816a0bb3178
-  data.tar.gz: b9ea5fa54ad39f51e86dae6852df477760bfb8c28a3c002cae421c40d44e5d3fb74e0ecfaa6ab6d65705cb3ba579d72e4c47061aa2b06d848d5f4639ca9f1eaf
+  metadata.gz: df759dcc508dca50b40cd1c85a9c8609a80b2c1a8feb71dfc2ea0a06fe48187bb5c57488a67eecce77eb9e099441bb0609524b48d14b288e318ebcf0e4fec12c
+  data.tar.gz: f035ac8532d07768a6a4dd5ce7df1eab2454bf4fd49c53734732b0979f68d8280d876bd174576434c7daedd9f793f029d81a6cc0b335a0f6c608bd915c71d71d

data/CHANGELOG.md

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.5] - 2025-01-19
+
+### Added
+
+- **Secure OmniAuth by default** - Automatically restricts OAuth initiation to POST requests only (prevents CSRF attacks)
+
+## [1.0.4] - 2025-01-19
+
+### Added
+
+- **`authenticates_with` DSL** - Cleaner model setup inspired by Devise syntax
+  ```ruby
+  # Before
+  include RailsSimpleAuth::Models::Concerns::Authenticatable
+  include RailsSimpleAuth::Models::Concerns::Confirmable
+
+  # After
+  authenticates_with :confirmable, :magic_linkable, :oauth, :temporary
+  ```
+- **Devise comparison article** - Comprehensive comparison at `docs/devise-comparison.md`
+- **Admin Users documentation** - Guide for implementing admin functionality
+- **Rate Limiting documentation** - Default limits and customization guide
+- **Session Management documentation** - Expiration, querying, and cleanup
+
 ## [1.0.3] - 2025-01-19
 
 ### Added

data/README.md

@@ -2,6 +2,8 @@
 
 Simple, secure authentication for Rails 8+ applications. Built on Rails primitives with no magic.
 
+**Coming from Devise?** Read our [detailed comparison](docs/devise-comparison.md).
+
 ## Features
 
 - [**Email/Password authentication**](#installation) - secure session-based auth
@@ -36,20 +38,31 @@ rails generate rails_simple_auth:install
 rails db:migrate
 ```
 
-Add concerns to your User model:
+Add authentication to your User model:
 
 ```ruby
 class User < ApplicationRecord
-  include RailsSimpleAuth::Models::Concerns::Authenticatable
-  include RailsSimpleAuth::Models::Concerns::Confirmable      # optional
-  include RailsSimpleAuth::Models::Concerns::MagicLinkable    # optional
-  include RailsSimpleAuth::Models::Concerns::OAuthConnectable # optional
+  authenticates_with :confirmable, :magic_linkable, :oauth, :temporary
 
   # Your custom fields and validations
   validates :company_name, presence: true
 end
 ```
 
+Available modules:
+- `:confirmable` - Email confirmation for new accounts
+- `:magic_linkable` - Passwordless sign-in via email
+- `:oauth` - OAuth provider support (Google, GitHub, etc.)
+- `:temporary` - Guest accounts that convert to permanent
+
+For basic email/password auth only:
+
+```ruby
+class User < ApplicationRecord
+  authenticates_with
+end
+```
+
 Protect your routes:
 
 ```ruby
@@ -193,7 +206,7 @@ end
 
 ```ruby
 class User < ApplicationRecord
-  include RailsSimpleAuth::Models::Concerns::OAuthConnectable
+  authenticates_with :oauth
 
   def assign_oauth_attributes(auth_hash)
     self.name = auth_hash.dig("info", "name")
@@ -228,12 +241,11 @@ rails generate rails_simple_auth:temporary_users
 rails db:migrate
 ```
 
-2. Add the concern to your User model:
+2. Add the `:temporary` module to your User model:
 
 ```ruby
 class User < ApplicationRecord
-  include RailsSimpleAuth::Models::Concerns::Authenticatable
-  include RailsSimpleAuth::Models::Concerns::TemporaryUser  # Add this
+  authenticates_with :confirmable, :temporary
 end
 ```
 
@@ -587,6 +599,72 @@ end
 - **Account conversion**: All sessions are invalidated when a temporary user converts to permanent
 - **Sign out**: Only the current session is destroyed (other devices stay signed in)
 
+## Admin Users
+
+RailsSimpleAuth uses a single table with role-based access — the Rails way. No separate admin models or authentication flows needed.
+
+### Setup
+
+Add an admin column to your users table:
+
+```ruby
+# Migration
+add_column :users, :admin, :boolean, default: false
+```
+
+Add a helper method to your model:
+
+```ruby
+class User < ApplicationRecord
+  authenticates_with :confirmable
+
+  def admin?
+    admin == true
+  end
+end
+```
+
+### Protecting Admin Routes
+
+```ruby
+class AdminController < ApplicationController
+  before_action :require_admin
+
+  private
+
+  def require_admin
+    redirect_to root_path, alert: "Not authorized" unless current_user&.admin?
+  end
+end
+
+# Or as a concern
+module AdminAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :require_admin
+  end
+
+  private
+
+  def require_admin
+    redirect_to root_path, alert: "Not authorized" unless current_user&.admin?
+  end
+end
+```
+
+### Creating Admin Users
+
+```ruby
+# Console
+User.find_by(email: "admin@example.com").update!(admin: true)
+
+# Seeds
+User.create!(email: "admin@example.com", password: "secure123", admin: true)
+```
+
+For more complex role systems, consider adding a `role` enum or using an authorization gem like [Pundit](https://github.com/varvet/pundit).
+
 ## Security Features
 
 - **BCrypt password hashing** with salts

data/lib/generators/rails_simple_auth/install/install_generator.rb

@@ -40,15 +40,14 @@ module RailsSimpleAuth
         say 'Next steps:'
         say '  1. Review and edit the migration: db/migrate/xxx_add_rails_simple_auth.rb'
         say '  2. Run: rails db:migrate'
-        say "  3. Add concerns to your #{options[:user_model]} model:"
+        say "  3. Add authentication to your #{options[:user_model]} model:"
         say ''
         say "     class #{options[:user_model]} < ApplicationRecord"
-        say '       include RailsSimpleAuth::Models::Concerns::Authenticatable'
-        say '       include RailsSimpleAuth::Models::Concerns::Confirmable      # optional'
-        say '       include RailsSimpleAuth::Models::Concerns::MagicLinkable    # optional'
-        say '       include RailsSimpleAuth::Models::Concerns::OAuthConnectable # optional'
+        say '       authenticates_with :confirmable, :magic_linkable'
         say '     end'
         say ''
+        say '     Available modules: :confirmable, :magic_linkable, :oauth, :temporary'
+        say ''
         say '  4. Add before_action to protect routes:'
         say ''
         say '     class ApplicationController < ActionController::Base'
@@ -56,8 +55,9 @@ module RailsSimpleAuth
         say '     end'
         say ''
         say 'Optional generators:'
-        say '  rails generate rails_simple_auth:views  # Copy views for customization'
-        say '  rails generate rails_simple_auth:css    # Copy CSS for styling'
+        say '  rails generate rails_simple_auth:views           # Copy views for customization'
+        say '  rails generate rails_simple_auth:css             # Copy CSS for styling'
+        say '  rails generate rails_simple_auth:temporary_users # Add guest account support'
         say ''
       end
     end

data/lib/generators/rails_simple_auth/temporary_users/USAGE

@@ -9,8 +9,8 @@ Example:
     This will create:
         db/migrate/YYYYMMDDHHMMSS_add_temporary_to_users.rb
 
-    After running the migration, include the concern in your User model:
-        include RailsSimpleAuth::Models::Concerns::TemporaryUser
+    After running the migration, add :temporary to your User model:
+        authenticates_with :confirmable, :temporary
 
     And enable in your initializer:
         config.temporary_users_enabled = true

data/lib/generators/rails_simple_auth/temporary_users/temporary_users_generator.rb

@@ -28,8 +28,8 @@ module RailsSimpleAuth
         say 'Next steps:', :yellow
         say '  1. Run: bin/rails db:migrate'
         say ''
-        say '  2. Include the concern in your User model:'
-        say '     include RailsSimpleAuth::Models::Concerns::TemporaryUser'
+        say '  2. Add :temporary to your User model:'
+        say '     authenticates_with :confirmable, :temporary'
         say ''
         say '  3. Enable in your initializer:'
         say '     config.temporary_users_enabled = true'

data/lib/rails_simple_auth/engine.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rails_simple_auth/model'
+
 module RailsSimpleAuth
   class Engine < ::Rails::Engine
     isolate_namespace RailsSimpleAuth
@@ -14,5 +16,18 @@ module RailsSimpleAuth
         include RailsSimpleAuth::Controllers::Concerns::SessionManagement
       end
     end
+
+    initializer 'rails_simple_auth.model' do
+      ActiveSupport.on_load(:active_record) do
+        include RailsSimpleAuth::Model
+      end
+    end
+
+    # Secure OmniAuth by default - only allow POST to initiate OAuth (prevents CSRF)
+    initializer 'rails_simple_auth.omniauth', after: :load_config_initializers do
+      if defined?(OmniAuth)
+        OmniAuth.config.allowed_request_methods = %i[post]
+      end
+    end
   end
 end

data/lib/rails_simple_auth/model.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module RailsSimpleAuth
+  module Model
+    extend ActiveSupport::Concern
+
+    MODULES = {
+      confirmable: 'RailsSimpleAuth::Models::Concerns::Confirmable',
+      magic_linkable: 'RailsSimpleAuth::Models::Concerns::MagicLinkable',
+      oauth: 'RailsSimpleAuth::Models::Concerns::OAuthConnectable',
+      temporary: 'RailsSimpleAuth::Models::Concerns::TemporaryUser'
+    }.freeze
+
+    class_methods do
+      # Configure authentication for this model
+      #
+      # @example Basic authentication only
+      #   authenticates_with
+      #
+      # @example With optional modules
+      #   authenticates_with :confirmable, :magic_linkable
+      #
+      # @example Full featured
+      #   authenticates_with :confirmable, :magic_linkable, :oauth, :temporary
+      #
+      # Available modules:
+      # - :confirmable     - Email confirmation for new accounts
+      # - :magic_linkable  - Passwordless sign-in via email
+      # - :oauth           - OAuth provider support (Google, GitHub, etc.)
+      # - :temporary       - Guest accounts that convert to permanent
+      #
+      def authenticates_with(*modules)
+        # Always include base authentication
+        include RailsSimpleAuth::Models::Concerns::Authenticatable
+
+        # Include requested optional modules
+        modules.each do |mod|
+          mod_name = mod.to_sym
+          unless MODULES.key?(mod_name)
+            raise ArgumentError, "Unknown authentication module: #{mod.inspect}. " \
+                                 "Available modules: #{MODULES.keys.join(', ')}"
+          end
+
+          include MODULES[mod_name].constantize
+        end
+      end
+    end
+  end
+end

data/lib/rails_simple_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsSimpleAuth
-  VERSION = '1.0.3'
+  VERSION = '1.0.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_simple_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.5
 platform: ruby
 authors:
 - Ivan Kuznetsov
@@ -82,6 +82,7 @@ files:
 - lib/rails_simple_auth/controllers/concerns/authentication.rb
 - lib/rails_simple_auth/controllers/concerns/session_management.rb
 - lib/rails_simple_auth/engine.rb
+- lib/rails_simple_auth/model.rb
 - lib/rails_simple_auth/models/concerns/authenticatable.rb
 - lib/rails_simple_auth/models/concerns/confirmable.rb
 - lib/rails_simple_auth/models/concerns/magic_linkable.rb