rails_simple_auth 1.0.6 → 1.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -0
- data/app/controllers/rails_simple_auth/sessions_controller.rb +6 -2
- data/app/views/rails_simple_auth/registrations/new.html.erb +1 -2
- data/app/views/rails_simple_auth/sessions/new.html.erb +1 -2
- data/lib/rails_simple_auth/controllers/concerns/authentication.rb +31 -0
- data/lib/rails_simple_auth/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c725500a464716b536ca185da3cb3c5cd4fafc0f4953336e67b1cbaa51fad2ee
|
|
4
|
+
data.tar.gz: aba285ded6dfdbfd51385f0d82ae5c61e1862d957c57a1ee38a481d15f4b57f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ee180cbc6a661d5dc4e7bc8ff77f33fad7907a4e0ae7dd94382e110e3855306e8eedadfef4d0013fa2296c9011c3a4b43abdb9072eb62de8d364ffa0c2e9824b
|
|
7
|
+
data.tar.gz: 2c87bee543511aa70ce9cf0186dafe97d7baa5d1afc56bbc5cebba8be9da197d85e51b61a3cd9e1dee588f11b10693d9029dfb53d989df86c6bb3bd3a27ae910
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.8] - 2026-01-19
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **OAuth buttons use button_to instead of link_to** - `link_to` with `method: :post` doesn't work in Rails 8 without rails-ujs. Changed OAuth buttons in sessions and registrations views to use `button_to` which properly creates POST forms.
|
|
15
|
+
|
|
16
|
+
## [1.0.7] - 2026-01-19
|
|
17
|
+
|
|
18
|
+
### Fixed
|
|
19
|
+
|
|
20
|
+
- **Temporary users can now access sign-in page** - Previously, temporary users clicking "Sign in" were redirected away because `user_signed_in?` returned true. Now checks `permanent_user_signed_in?` instead, allowing temporary users to sign in with a real account.
|
|
21
|
+
|
|
22
|
+
### Added
|
|
23
|
+
|
|
24
|
+
- **Referrer-based redirect after sign-in** - When users voluntarily click "Sign in" (not forced by `require_authentication`), their referring page is stored so they're redirected back after signing in. Security: only stores referrer from same origin.
|
|
25
|
+
- `permanent_user_signed_in?` helper method - Returns true only if user is signed in AND permanent (or doesn't respond to `permanent?`)
|
|
26
|
+
|
|
10
27
|
## [1.0.6] - 2025-01-19
|
|
11
28
|
|
|
12
29
|
### Added
|
|
@@ -22,7 +22,9 @@ module RailsSimpleAuth
|
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
def new
|
|
25
|
-
redirect_to resolve_path(:after_sign_in_path) if
|
|
25
|
+
return redirect_to resolve_path(:after_sign_in_path) if permanent_user_signed_in?
|
|
26
|
+
|
|
27
|
+
store_referrer_for_redirect
|
|
26
28
|
end
|
|
27
29
|
|
|
28
30
|
def create
|
|
@@ -52,7 +54,9 @@ module RailsSimpleAuth
|
|
|
52
54
|
end
|
|
53
55
|
|
|
54
56
|
def magic_link_form
|
|
55
|
-
redirect_to resolve_path(:after_sign_in_path) if
|
|
57
|
+
return redirect_to resolve_path(:after_sign_in_path) if permanent_user_signed_in?
|
|
58
|
+
|
|
59
|
+
store_referrer_for_redirect
|
|
56
60
|
end
|
|
57
61
|
|
|
58
62
|
def request_magic_link
|
|
@@ -36,9 +36,8 @@
|
|
|
36
36
|
<div class="rsa-auth-form__oauth">
|
|
37
37
|
<div class="rsa-auth-form__oauth-buttons">
|
|
38
38
|
<% RailsSimpleAuth.configuration.oauth_providers.each do |provider| %>
|
|
39
|
-
<%=
|
|
39
|
+
<%= button_to "/auth/#{provider}",
|
|
40
40
|
class: "rsa-auth-form__oauth-button rsa-auth-form__oauth-button--#{provider}",
|
|
41
|
-
method: :post,
|
|
42
41
|
data: { turbo: false } do %>
|
|
43
42
|
<span class="rsa-auth-form__oauth-icon rsa-auth-form__oauth-icon--<%= provider %>"></span>
|
|
44
43
|
Continue with <%= provider.to_s.titleize %>
|
|
@@ -39,9 +39,8 @@
|
|
|
39
39
|
<div class="rsa-auth-form__oauth">
|
|
40
40
|
<div class="rsa-auth-form__oauth-buttons">
|
|
41
41
|
<% RailsSimpleAuth.configuration.oauth_providers.each do |provider| %>
|
|
42
|
-
<%=
|
|
42
|
+
<%= button_to "/auth/#{provider}",
|
|
43
43
|
class: "rsa-auth-form__oauth-button rsa-auth-form__oauth-button--#{provider}",
|
|
44
|
-
method: :post,
|
|
45
44
|
data: { turbo: false } do %>
|
|
46
45
|
<span class="rsa-auth-form__oauth-icon rsa-auth-form__oauth-icon--<%= provider %>"></span>
|
|
47
46
|
Continue with <%= provider.to_s.titleize %>
|
|
@@ -44,6 +44,10 @@ module RailsSimpleAuth
|
|
|
44
44
|
current_user.present?
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
+
def permanent_user_signed_in?
|
|
48
|
+
user_signed_in? && (!current_user.respond_to?(:permanent?) || current_user.permanent?)
|
|
49
|
+
end
|
|
50
|
+
|
|
47
51
|
def store_location_for_redirect
|
|
48
52
|
return unless request.get?
|
|
49
53
|
|
|
@@ -57,6 +61,33 @@ module RailsSimpleAuth
|
|
|
57
61
|
session[:return_to] = path
|
|
58
62
|
end
|
|
59
63
|
|
|
64
|
+
def store_referrer_for_redirect
|
|
65
|
+
# Don't overwrite existing stored location (e.g., from require_authentication)
|
|
66
|
+
return if session[:return_to].present?
|
|
67
|
+
|
|
68
|
+
referrer = request.referer
|
|
69
|
+
return if referrer.blank?
|
|
70
|
+
|
|
71
|
+
# SECURITY: Only store referrer if it's from the same origin
|
|
72
|
+
begin
|
|
73
|
+
referrer_uri = URI.parse(referrer)
|
|
74
|
+
request_uri = URI.parse(request.url)
|
|
75
|
+
|
|
76
|
+
return unless referrer_uri.host == request_uri.host
|
|
77
|
+
|
|
78
|
+
path = referrer_uri.path
|
|
79
|
+
path += "?#{referrer_uri.query}" if referrer_uri.query.present?
|
|
80
|
+
|
|
81
|
+
# SECURITY: Validate path to prevent open redirect attacks
|
|
82
|
+
return unless path.start_with?('/')
|
|
83
|
+
return if path.start_with?('//')
|
|
84
|
+
|
|
85
|
+
session[:return_to] = path
|
|
86
|
+
rescue URI::InvalidURIError
|
|
87
|
+
# Invalid referrer, ignore
|
|
88
|
+
end
|
|
89
|
+
end
|
|
90
|
+
|
|
60
91
|
def stored_location_or_default
|
|
61
92
|
session.delete(:return_to) || resolve_path(:after_sign_in_path)
|
|
62
93
|
end
|