revise_auth 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f5d5afd1201c6a751a50e0c153589fa552e949c45cad6da9f3147670e6aaf274
-  data.tar.gz: 9d546d451af57bbc97d4e6dbae0dc83b00b6818fa14210f1a32735f79295686e
+  metadata.gz: 4877361ed28001b736c2e6387f0c65fa402229e47b08d34af1feb05ac3d6e8f8
+  data.tar.gz: 166a23ca4f1d792fa7af671bfcbc73bbb88cec68b611f1c1d9c17e84acd65940
 SHA512:
-  metadata.gz: 39331cdedcd79bc56c9237436bbf844ea5b1b863242b3cf4b5935a48bc492e2ebfdc8d5e5bc987f92b22556f58558876e418e94c2850d1eb0be659e54067ec1e
-  data.tar.gz: d1a39f4b6f81989be85657b540fcad3f0fbcb0a52ea3b184ea86263391ea204e192adf7038e164da190c03d6837da4c2ce8f3157779b6489cad65981e78f877f
+  metadata.gz: 891ca6da76f4a09caf6e169412a0c9a9cdc27ba6e641564a365bd8d2a623cf57cba9068fad9b4332424258f1cc95712139e7b9af242916718334782f4b8d5ae2
+  data.tar.gz: 81400af06d8b1845487acd05a293b1bf101eee6b21b1e1b6908befda918982c18a01df63c70ab96aabc9eebd24514471841741001bcb834445d9d8b9c56242e0

data/README.md

@@ -41,6 +41,20 @@ $ rails g revise_auth:views
 
 This will copy the views into `app/views/revise_auth` in your application.
 
+### After Login Path
+
+After a user logs in they will be redirected to the stashed location or the root path, by default. When a GET request hits `authenticate_user!`, it will stash the request path in the session and redirect back after login.
+
+To override this, define `after_login_path` in your ApplicationController. You can also override `ReviseAuthController` and define it there.
+
+```ruby
+class ApplicationController < ActionController::Base
+  def after_login_path
+    root_path
+  end
+end
+```
+
 ## Contributing
 
 If you have an issue you'd like to submit, please do so using the issue tracker in GitHub. In order for us to help you in the best way possible, please be as detailed as you can.

data/app/controllers/revise_auth/password_controller.rb

@@ -1,24 +1,22 @@
 class ReviseAuth::PasswordController < ReviseAuthController
-  before_action :validate_current_password, only: [:update]
+  before_action :authenticate_user!
 
   def update
     if current_user.update(password_params)
-      flash[:notice] = I18n.t("revise_auth.password_changed")
+      redirect_to profile_path, notice: I18n.t("revise_auth.password_changed")
+    else
+      flash[:alert] = I18n.t("revise_auth.incorrect_password")
+      render "revise_auth/registrations/edit", status: :unprocessable_entity
     end
-
-    redirect_to profile_path
   end
 
   private
 
   def password_params
-    params.require(:user).permit(:password, :password_confirmation)
-  end
-
-  def validate_current_password
-    unless current_user.authenticate(params[:current_password])
-      flash[:alert] = I18n.t("revise_auth.incorrect_password")
-      render "revise_auth/registrations/edit", status: :unprocessable_entity
-    end
+    params.require(:user).permit(
+      :password,
+      :password_confirmation,
+      :password_challenge
+    ).with_defaults(password_challenge: "")
   end
 end

data/app/controllers/revise_auth/password_resets_controller.rb

@@ -0,0 +1,48 @@
+class ReviseAuth::PasswordResetsController < ReviseAuthController
+  before_action :set_user, only: [:edit, :update]
+
+  def new
+    @user = User.new
+  end
+
+  def create
+    if (user = User.find_by(email: user_params[:email]))
+      token = user.generate_token_for(:password_reset)
+      ReviseAuth::Mailer.with(user: user, token: token).password_reset.deliver_later
+    end
+
+    flash[:notice] = I18n.t("revise_auth.password_reset_sent")
+    redirect_to login_path
+  end
+
+  def edit
+  end
+
+  def update
+    if @user.update(password_params)
+      flash[:notice] = I18n.t("revise_auth.password_changed")
+      redirect_to login_path
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def set_user
+    @user = User.find_by_token_for(:password_reset, params[:token])
+
+    return if @user.present?
+
+    flash[:alert] = I18n.t("revise_auth.password_link_invalid")
+    redirect_to new_password_reset_path
+  end
+
+  def user_params
+    params.require(:user).permit(:email)
+  end
+
+  def password_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
+end

data/app/controllers/revise_auth/sessions_controller.rb

@@ -5,7 +5,7 @@ class ReviseAuth::SessionsController < ReviseAuthController
   def create
     if (user = User.authenticate_by(email: params[:email], password: params[:password]))
       login(user)
-      redirect_to root_path
+      redirect_to resolve_after_login_path
     else
       flash[:alert] = I18n.t("revise_auth.invalid_email_or_password")
       render :new, status: :unprocessable_entity
@@ -16,4 +16,14 @@ class ReviseAuth::SessionsController < ReviseAuthController
     logout
     redirect_to root_path
   end
+
+  private
+
+  def resolve_after_login_path
+    try(:after_login_path) || return_to_location || root_path
+  end
+
+  def return_to_location
+    session.delete(:user_return_to)
+  end
 end

data/app/controllers/revise_auth_controller.rb

@@ -1,10 +1,2 @@
 class ReviseAuthController < ApplicationController
-  # Return true if it's a revise_auth_controller. false to all controllers unless
-  # the controllers defined inside revise_auth. Useful if you want to apply a before
-  # filter to all controllers, except the ones in revise_auth:
-  #
-  #   before_action :authenticate_user!, except: :revise_auth_controller?
-  def revise_auth_controller?
-    is_a?(::ReviseAuthController)
-  end
 end

data/app/mailers/revise_auth/mailer.rb

@@ -5,4 +5,11 @@ class ReviseAuth::Mailer < ApplicationMailer
 
     mail to: @user.unconfirmed_email
   end
+
+  def password_reset
+    @user = params[:user]
+    @token = params[:token]
+
+    mail to: @user.email
+  end
 end

data/app/views/revise_auth/mailer/password_reset.html.erb

@@ -0,0 +1,6 @@
+<p>We've received a password reset request for your login. If this was you just visit the
+  the link below to finish up. If it wasn't you, you can simply ignore this email.</p>
+
+<p><%= link_to "Reset my password", edit_password_reset_url(token: @token) %></p>
+
+<p>This link will expire in 1 hour.</p>

data/app/views/revise_auth/password_resets/edit.html.erb

@@ -0,0 +1,25 @@
+<h1>Reset Your Password</h1>
+
+<%= form_with model: @user, url: sign_up_path do |form| %>
+  <% if form.object.errors.any? %>
+    <ul>
+      <% form.object.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  <% end %>
+
+  <div>
+    <%= form.label :password %>
+    <%= form.password_field :password, required: true %>
+  </div>
+
+  <div>
+    <%= form.label :password_confirmation %>
+    <%= form.password_field :password_confirmation, required: true %>
+  </div>
+
+  <div>
+    <%= form.button "Reset password" %>
+  </div>
+<% end %>

data/app/views/revise_auth/password_resets/new.html.erb

@@ -0,0 +1,20 @@
+<h1>Send Password Reset Instructions</h1>
+
+<%= form_with model: @user, url: password_resets_path do |form| %>
+  <% if form.object.errors.any? %>
+    <ul>
+      <% form.object.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  <% end %>
+
+  <div>
+    <%= form.label :email %>
+    <%= form.email_field :email, required: true, autofocus: true %>
+  </div>
+
+  <div>
+    <%= form.button "Send Reset Instructions" %>
+  </div>
+<% end %>

data/app/views/revise_auth/registrations/edit.html.erb

@@ -16,7 +16,7 @@
       </ul>
     <% end %>
 
-    <p>Your email address is: <%= current_user.email %>
+    <p>Your email address is: <%= current_user.email %></p>
     <p>To change your email, we will send a confirmation email to your new address to complete the change.</p>
 
     <div>
@@ -43,8 +43,8 @@
     <% end %>
 
     <div>
-      <%= label_tag :current_password %>
-      <%= password_field_tag :current_password, nil, required: true %>
+      <%= form.label :password_challenge, "Current password" %>
+      <%= form.password_field :password_challenge, required: true %>
     </div>
 
     <div>

data/app/views/revise_auth/sessions/new.html.erb

@@ -14,4 +14,8 @@
   <div>
     <%= form.button "Login" %>
   </div>
+
+  <div>
+    <%= link_to "Reset your password", new_password_reset_path %>
+  </div>
 <% end %>

data/config/locales/en.yml

@@ -9,6 +9,8 @@ en:
     # Password changes
     password_changed: "Your password has been changed successfully."
     incorrect_password: "Your current password is incorrect. Please try again."
+    password_link_invalid: "The provided password reset link is invalid."
+    password_reset_sent: "An email with password reset instructions has been sent if that account exists."
 
     # Email confirmations
     email_confirmed: "Your email address has been successfully confirmed."

data/config/locales/pt.yml

@@ -0,0 +1,16 @@
+pt:
+  revise_auth:
+    account_deleted: "A sua conta foi removida."
+    account_updated: "Conta atualizada com sucesso."
+
+    invalid_email_or_password: "Email ou password inválidos."
+    sign_up_or_login: "Registe-se ou clique em entrar para continuar."
+
+    # Password changes
+    password_changed: "A sua password foi alterada com sucesso."
+    incorrect_password: "A sua password atual está incorreta. Por favor tente de novo."
+
+    # Email confirmations
+    email_confirmed: "O seu endereço de email foi modificado com sucesso."
+    email_confirm_failed: "Não foi possível confirmar o endereço de email."
+    confirmation_email_sent: "Um email de confirmação foi enviado para %{email}"

data/lib/revise_auth/authentication.rb

@@ -22,7 +22,7 @@ module ReviseAuth
 
     # Authenticates a user or redirects to the login page
     def authenticate_user!
-      redirect_to login_path, alert: I18n.t("revise_auth.sign_up_or_login") unless user_signed_in?
+      redirect_to_login_with_stashed_location unless user_signed_in?
     end
 
     # Authenticates the current user
@@ -40,17 +40,39 @@ module ReviseAuth
     end
 
     # Logs in the user
+    # - Reset the session to prevent session fixation
+    #   See: https://guides.rubyonrails.org/security.html#session-fixation-countermeasures
     # - Set Current.user for the current request
     # - Save a session cookie so the next request is authenticated
     def login(user)
-      Current.user = user
+      user_return_to = session[:user_return_to]
       reset_session
+      Current.user = user
       session[:user_id] = user.id
+      session[:user_return_to] = user_return_to
     end
 
     def logout
-      Current.user = nil
       reset_session
+      Current.user = nil
+    end
+
+    def stash_return_to_location(path)
+      session[:user_return_to] = path
+    end
+
+    def redirect_to_login_with_stashed_location
+      stash_return_to_location(request.fullpath) if request.get?
+      redirect_to login_path, alert: I18n.t("revise_auth.sign_up_or_login")
+    end
+
+    # Return true if it's a revise_auth_controller. false to all controllers unless
+    # the controllers defined inside revise_auth. Useful if you want to apply a before
+    # filter to all controllers, except the ones in revise_auth:
+    #
+    #   before_action :authenticate_user!, except: :revise_auth_controller?
+    def revise_auth_controller?
+      is_a?(::ReviseAuthController)
     end
   end
 end

data/lib/revise_auth/model.rb

@@ -4,22 +4,25 @@ module ReviseAuth
 
     included do |base|
       base.const_set :EMAIL_VERIFICATION_TOKEN_VALIDITY, 1.day
+      base.const_set :PASSWORD_RESET_TOKEN_VALIDITY, 1.hour
 
       has_secure_password
       has_secure_token :confirmation_token
 
+      generates_token_for :password_reset, expires_in: base.const_get(:PASSWORD_RESET_TOKEN_VALIDITY) do
+        BCrypt::Password.new(password_digest).salt[-10..]
+      end
+
       generates_token_for :email_verification, expires_in: base.const_get(:EMAIL_VERIFICATION_TOKEN_VALIDITY) do
         email
       end
 
+      normalizes :email, with: -> { _1.strip.downcase }
+      normalizes :unconfirmed_email, with: -> { _1.strip.downcase }
+
       validates :email, format: {with: URI::MailTo::EMAIL_REGEXP}, presence: true, uniqueness: true
       validates :unconfirmed_email, format: {with: URI::MailTo::EMAIL_REGEXP}, allow_blank: true
       validates_length_of :password, minimum: 12, allow_nil: true
-
-      before_validation do
-        email&.downcase!&.strip!
-        unconfirmed_email&.downcase!
-      end
     end
 
     # Generates a confirmation token and send email to the user

data/lib/revise_auth/routes.rb

@@ -12,6 +12,8 @@ module ActionDispatch::Routing
         patch "profile/email", to: "email#update"
         patch "profile/password", to: "password#update"
 
+        resources :password_resets, param: :token, only: [:new, :create, :edit, :update]
+
         # Email confirmation
         get "profile/email", to: "email#show"
 

data/lib/revise_auth/version.rb

@@ -1,3 +1,3 @@
 module ReviseAuth
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: revise_auth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Chris Oliver
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-13 00:00:00.000000000 Z
+date: 2023-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -50,11 +50,15 @@ files:
 - Rakefile
 - app/controllers/revise_auth/email_controller.rb
 - app/controllers/revise_auth/password_controller.rb
+- app/controllers/revise_auth/password_resets_controller.rb
 - app/controllers/revise_auth/registrations_controller.rb
 - app/controllers/revise_auth/sessions_controller.rb
 - app/controllers/revise_auth_controller.rb
 - app/mailers/revise_auth/mailer.rb
 - app/views/revise_auth/mailer/confirm_email.html.erb
+- app/views/revise_auth/mailer/password_reset.html.erb
+- app/views/revise_auth/password_resets/edit.html.erb
+- app/views/revise_auth/password_resets/new.html.erb
 - app/views/revise_auth/registrations/edit.html.erb
 - app/views/revise_auth/registrations/new.html.erb
 - app/views/revise_auth/sessions/new.html.erb
@@ -63,6 +67,7 @@ files:
 - config/locales/en.yml
 - config/locales/fr.yml
 - config/locales/nl.yml
+- config/locales/pt.yml
 - config/locales/tr.yml
 - config/locales/zh-TW.yml
 - lib/generators/revise_auth/model_generator.rb