rails_simple_auth 1.0.5 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83fb50e708c25bcd5a7115ae8e0935e9921909580aef97ca6ec585100e410e37
-  data.tar.gz: 1b7a3bcef439ad6c38155404562167e487144aeeb292ea4fa9436c5252ad1e9c
+  metadata.gz: a168e835a568c68794da8d69b24fe33d8a99ece8e14277e3676668ae62d0d284
+  data.tar.gz: e8d4947a07f36d2f9f9a45ed0d8b98966adb8e1d4084657da00ee7050393c56b
 SHA512:
-  metadata.gz: df759dcc508dca50b40cd1c85a9c8609a80b2c1a8feb71dfc2ea0a06fe48187bb5c57488a67eecce77eb9e099441bb0609524b48d14b288e318ebcf0e4fec12c
-  data.tar.gz: f035ac8532d07768a6a4dd5ce7df1eab2454bf4fd49c53734732b0979f68d8280d876bd174576434c7daedd9f793f029d81a6cc0b335a0f6c608bd915c71d71d
+  metadata.gz: bc07416640d3ae37febfce98d74ab212b35469ff29145441cb1ed0c260e7ac4e0eafa3d2edbc870fb46d30c847d9669ce5be6b4135ba677bb4fafe5855c44b31
+  data.tar.gz: 0d5ce6bddec0962b6f4d065cc72b9b88772c25326bbfcefc0dc28b3b61739419ea12ed0538ab59be8b18da233054fc2a8d87625959f77e571a54d7dd27834e59

data/CHANGELOG.md

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.7] - 2026-01-19
+
+### Fixed
+
+- **Temporary users can now access sign-in page** - Previously, temporary users clicking "Sign in" were redirected away because `user_signed_in?` returned true. Now checks `permanent_user_signed_in?` instead, allowing temporary users to sign in with a real account.
+
+### Added
+
+- **Referrer-based redirect after sign-in** - When users voluntarily click "Sign in" (not forced by `require_authentication`), their referring page is stored so they're redirected back after signing in. Security: only stores referrer from same origin.
+- `permanent_user_signed_in?` helper method - Returns true only if user is signed in AND permanent (or doesn't respond to `permanent?`)
+
+## [1.0.6] - 2025-01-19
+
+### Added
+
+- **Database-level email uniqueness** - Partial unique index ensures permanent users have unique emails at database level (not just Rails validation)
+
+### Changed
+
+- Simplified `temporary?` method for cleaner implementation
+
 ## [1.0.5] - 2025-01-19
 
 ### Added

data/app/controllers/rails_simple_auth/sessions_controller.rb

@@ -22,7 +22,9 @@ module RailsSimpleAuth
     end
 
     def new
-      redirect_to resolve_path(:after_sign_in_path) if user_signed_in?
+      return redirect_to resolve_path(:after_sign_in_path) if permanent_user_signed_in?
+
+      store_referrer_for_redirect
     end
 
     def create
@@ -52,7 +54,9 @@ module RailsSimpleAuth
     end
 
     def magic_link_form
-      redirect_to resolve_path(:after_sign_in_path) if user_signed_in?
+      return redirect_to resolve_path(:after_sign_in_path) if permanent_user_signed_in?
+
+      store_referrer_for_redirect
     end
 
     def request_magic_link

data/lib/generators/rails_simple_auth/temporary_users/templates/add_temporary_to_users.rb.erb

@@ -4,5 +4,6 @@ class AddTemporaryToUsers < ActiveRecord::Migration[<%= Rails::VERSION::MAJOR %>
   def change
     add_column :users, :temporary, :boolean, default: false, null: false
     add_index :users, [:temporary, :created_at], name: "index_users_on_temporary_and_created_at"
+    add_index :users, :email_address, unique: true, where: "temporary = false", name: "index_users_on_email_address_permanent_unique"
   end
 end

data/lib/rails_simple_auth/controllers/concerns/authentication.rb

@@ -44,6 +44,10 @@ module RailsSimpleAuth
           current_user.present?
         end
 
+        def permanent_user_signed_in?
+          user_signed_in? && (!current_user.respond_to?(:permanent?) || current_user.permanent?)
+        end
+
         def store_location_for_redirect
           return unless request.get?
 
@@ -57,6 +61,33 @@ module RailsSimpleAuth
           session[:return_to] = path
         end
 
+        def store_referrer_for_redirect
+          # Don't overwrite existing stored location (e.g., from require_authentication)
+          return if session[:return_to].present?
+
+          referrer = request.referer
+          return if referrer.blank?
+
+          # SECURITY: Only store referrer if it's from the same origin
+          begin
+            referrer_uri = URI.parse(referrer)
+            request_uri = URI.parse(request.url)
+
+            return unless referrer_uri.host == request_uri.host
+
+            path = referrer_uri.path
+            path += "?#{referrer_uri.query}" if referrer_uri.query.present?
+
+            # SECURITY: Validate path to prevent open redirect attacks
+            return unless path.start_with?('/')
+            return if path.start_with?('//')
+
+            session[:return_to] = path
+          rescue URI::InvalidURIError
+            # Invalid referrer, ignore
+          end
+        end
+
         def stored_location_or_default
           session.delete(:return_to) || resolve_path(:after_sign_in_path)
         end

data/lib/rails_simple_auth/controllers/concerns/session_management.rb

@@ -58,7 +58,7 @@ module RailsSimpleAuth
             temp_user.destroy!
           end
 
-          Rails.logger.info("[RailsSimpleAuth] Destroyed temporary user #{temp_user_id} on sign in")
+          Rails.logger.info "[RailsSimpleAuth] Destroyed temporary user #{temp_user_id} on sign in"
         rescue ActiveRecord::RecordNotDestroyed => e
           Rails.logger.error("[RailsSimpleAuth] Failed to destroy temporary user #{temp_user_id}: #{e.message}")
         end

data/lib/rails_simple_auth/models/concerns/temporary_user.rb

@@ -18,7 +18,7 @@ module RailsSimpleAuth
         end
 
         def temporary?
-          temporary == true
+          temporary
         end
 
         def permanent?

data/lib/rails_simple_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsSimpleAuth
-  VERSION = '1.0.5'
+  VERSION = '1.0.7'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_simple_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.7
 platform: ruby
 authors:
 - Ivan Kuznetsov