rodauth-rails 0.1.0

data/lib/generators/rodauth/mailer_generator.rb

@@ -0,0 +1,38 @@
+require "rails/generators/base"
+require "rodauth/version"
+
+module Rodauth
+  module Rails
+    module Generators
+      class MailerGenerator < ::Rails::Generators::Base
+        source_root "#{__dir__}/templates"
+        namespace "rodauth:mailer"
+
+        VIEWS = %w[
+          email_auth
+          password_changed
+          reset_password
+          unlock_account
+          verify_account
+          verify_login_change
+        ]
+
+        class_option :name,
+          desc: "The name for the mailer and the views directory",
+          default: "rodauth"
+
+        def copy_mailer
+          template "app/mailers/rodauth_mailer.rb",
+            "app/mailers/#{options[:name].underscore}_mailer.rb"
+        end
+
+        def copy_mailer_views
+          VIEWS.each do |view|
+            template "app/views/rodauth_mailer/#{view}.text.erb",
+              "app/views/#{options[:name].underscore}_mailer/#{view}.text.erb"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/generators/rodauth/templates/app/controllers/rodauth_controller.rb

@@ -0,0 +1,3 @@
+class RodauthController < ApplicationController
+  # used by Rodauth for rendering views and CSRF protection
+end

data/lib/generators/rodauth/templates/app/mailers/rodauth_mailer.rb

@@ -0,0 +1,37 @@
+class <%= options[:name].camelize %>Mailer < ApplicationMailer
+  def verify_account(recipient, email_link)
+    @email_link = email_link
+
+    mail to: recipient
+  end
+
+  def reset_password(recipient, email_link)
+    @email_link = email_link
+
+    mail to: recipient
+  end
+
+  def verify_login_change(recipient, old_login, new_login, email_link)
+    @old_login  = old_login
+    @new_login  = new_login
+    @email_link = email_link
+
+    mail to: recipient
+  end
+
+  def password_changed(recipient)
+    mail to: recipient
+  end
+
+  # def email_auth(recipient, email_link)
+  #   @email_link = email_link
+
+  #   mail to: recipient
+  # end
+
+  # def unlock_account(recipient, email_link)
+  #   @email_link = email_link
+
+  #   mail to: recipient
+  # end
+end

data/lib/generators/rodauth/templates/app/models/account.rb

@@ -0,0 +1,2 @@
+class Account < ApplicationRecord
+end

data/lib/generators/rodauth/templates/config/initializers/rodauth.rb

@@ -0,0 +1,3 @@
+Rodauth::Rails.configure do |config|
+  config.app = "RodauthApp"
+end

data/lib/generators/rodauth/templates/config/initializers/sequel.rb

@@ -0,0 +1,13 @@
+require "sequel/core"
+
+# initialize the appropriate Sequel adapter without creating a connection
+<% case adapter -%>
+<% when "postgresql" -%>
+DB = Sequel.postgres(test: false)
+<% when "mysql2" -%>
+DB = Sequel.mysql2(test: false)
+<% when "sqlite3" -%>
+DB = Sequel.sqlite(test: false)
+<% end -%>
+# have Sequel use ActiveRecord's connection for database interaction
+DB.extension :activerecord_connection

data/lib/generators/rodauth/templates/db/migrate/create_rodauth.rb

@@ -0,0 +1,170 @@
+class CreateRodauth < ActiveRecord::Migration<%= migration_version %>
+  def change
+<% if adapter == "postgresql" -%>
+    enable_extension "citext"
+
+<% end -%>
+    create_table :accounts do |t|
+<% case adapter -%>
+<% when "postgresql" -%>
+      t.citext :email, null: false, index: { unique: true, where: "status IN ('verified', 'unverified')" }
+<% else -%>
+      t.string :email, null: false, index: { unique: true }
+<% end -%>
+      t.string :status, null: false, default: "verified"
+    end
+
+    # Used if storing password hashes in a separate table (default)
+    create_table :account_password_hashes do |t|
+      t.foreign_key :accounts, column: :id
+      t.string :password_hash, null: false
+    end
+
+    # Used by the password reset feature
+    create_table :account_password_reset_keys do |t|
+      t.foreign_key :accounts, column: :id
+      t.string :key, null: false
+      t.datetime :deadline, null: false
+      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    # Used by the account verification feature
+    create_table :account_verification_keys do |t|
+      t.foreign_key :accounts, column: :id
+      t.string :key, null: false
+      t.datetime :requested_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    # Used by the verify login change feature
+    create_table :account_login_change_keys do |t|
+      t.foreign_key :accounts, column: :id
+      t.string :key, null: false
+      t.string :login, null: false
+      t.datetime :deadline, null: false
+    end
+
+    # Used by the remember me feature
+    create_table :account_remember_keys do |t|
+      t.foreign_key :accounts, column: :id
+      t.string :key, null: false
+      t.datetime :deadline, null: false
+    end
+
+    # # Used by the audit logging feature
+    # create_table :account_authentication_audit_logs do |t|
+    #   t.references :account, null: false
+    #   t.datetime :at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    #   t.text :message, null: false
+<% case adapter -%>
+<% when "postgresql" -%>
+    #   t.jsonb :metadata
+<% when "sqlite3", "mysql2" -%>
+    #   t.json :metadata
+<% else -%>
+    #   t.string :metadata
+<% end -%>
+    #   t.index [:account_id, :at], name: "audit_account_at_idx"
+    #   t.index :at, name: "audit_at_idx"
+    # end
+
+    # # Used by the jwt refresh feature
+    # create_table :account_jwt_refresh_keys do |t|
+    #   t.references :account, null: false
+    #   t.string :key, null: false
+    #   t.datetime :deadline, null: false
+    #   t.index :account_id, name: "account_jwt_rk_account_id_idx"
+    # end
+
+    # # Used by the disallow_password_reuse feature
+    # create_table :account_previous_password_hashes do |t|
+    #   t.references :account
+    #   t.string :password_hash, null: false
+    # end
+
+    # # Used by the lockout feature
+    # create_table :account_login_failures do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.integer :number, null: false, default: 1
+    # end
+    # create_table :account_lockouts do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :key, null: false
+    #   t.datetime :deadline, null: false
+    #   t.datetime :email_last_sent
+    # end
+
+    # # Used by the email auth feature
+    # create_table :account_email_auth_keys do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :key, null: false
+    #   t.datetime :deadline, null: false
+    #   t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+
+    # # Used by the password expiration feature
+    # create_table :account_password_change_times do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.datetime :changed_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+
+    # # Used by the account expiration feature
+    # create_table :account_activity_times do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.datetime :last_activity_at, null: false
+    #   t.datetime :last_login_at, null: false
+    #   t.datetime :expired_at
+    # end
+
+    # # Used by the single session feature
+    # create_table :account_session_keys do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :key, null: false
+    # end
+
+    # # Used by the active sessions feature
+    # create_table :account_active_session_keys, primary_key: [:account_id, :session_id] do |t|
+    #   t.references :account
+    #   t.string :session_id
+    #   t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+
+    # # Used by the webauthn feature
+    # create_table :account_webauthn_user_ids do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :webauthn_id, null: false
+    # end
+    # create_table :account_webauthn_keys, primary_key: [:account_id, :webauthn_id] do |t|
+    #   t.references :account
+    #   t.string :webauthn_id
+    #   t.string :public_key, null: false
+    #   t.integer :sign_count, null: false
+    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+
+    # # Used by the otp feature
+    # create_table :account_otp_keys do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :key, null: false
+    #   t.integer :num_failures, null: false, default: 0
+    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+
+    # # Used by the recovery codes feature
+    # create_table :account_recovery_codes, primary_key: [:id, :code] do |t|
+    #   t.integer :id
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :code
+    # end
+
+    # # Used by the sms codes feature
+    # create_table :account_sms_codes do |t|
+    #   t.foreign_key :accounts, column: :id
+    #   t.string :phone_number, null: false
+    #   t.integer :num_failures
+    #   t.string :code
+    #   t.datetime :code_issued_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
+    # end
+  end
+end

data/lib/generators/rodauth/templates/lib/rodauth_app.rb

@@ -0,0 +1,186 @@
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # List of authentication features that are loaded.
+    enable :create_account, :verify_account, :verify_account_grace_period,
+      :login, :remember, :logout,
+      :reset_password, :change_password, :change_password_notify,
+      :change_login, :verify_login_change,
+      :close_account
+
+    # See the Rodauth documentation for the list of available config options:
+    # http://rodauth.jeremyevans.net/documentation.html
+
+    # ==> General
+    # Specify the controller used for view rendering and CSRF verification.
+    rails_controller { RodauthController }
+
+    # Store account status in a text column.
+    account_status_column :status
+    account_unverified_status_value "unverified"
+    account_open_status_value "verified"
+    account_closed_status_value "closed"
+
+    # Store password hash in a column instead of a separate table.
+    # account_password_hash_column :password_digest
+
+    # Set password when creating account instead of when verifying.
+    verify_account_set_password? false
+
+    # Redirect back to originally requested location after authentication.
+    # login_return_to_requested_location? true
+    # two_factor_auth_return_to_requested_location? true # if using MFA
+
+    # Autologin the user after they have reset their password.
+    # reset_password_autologin? true
+
+    # Delete the account record when the user has closed their account.
+    # delete_account_on_close? true
+
+    # Redirect to the app from login and registration pages if already logged in.
+    # already_logged_in { redirect login_redirect }
+
+    # ==> Emails
+    # Uncomment the lines below once you've imported mailer views.
+    # send_reset_password_email do
+    #   RodauthMailer.reset_password(email_to, password_reset_email_link).deliver_now
+    # end
+    # send_verify_account_email do
+    #   RodauthMailer.verify_account(email_to, verify_account_email_link).deliver_now
+    # end
+    # send_verify_login_change_email do |login|
+    #   RodauthMailer.verify_login_change(login, verify_login_change_old_login, verify_login_change_new_login, verify_login_change_email_link).deliver_now
+    # end
+    # send_password_changed_email do
+    #   RodauthMailer.password_changed(email_to).deliver_now
+    # end
+    # # send_email_auth_email do
+    # #   RodauthMailer.email_auth(email_to, email_auth_email_link).deliver_now
+    # # end
+    # # send_unlock_account_email do
+<% if Rodauth::MAJOR == 1 -%>
+    # #   @unlock_account_key_value = get_unlock_account_key
+<% end -%>
+    # #   RodauthMailer.unlock_account(email_to, unlock_account_email_link).deliver_now
+    # # end
+
+    # In the meantime you can tweak settings for emails created by Rodauth
+    # email_subject_prefix "[MyApp] "
+    # email_from "noreply@myapp.com"
+    # send_email(&:deliver_later)
+    # reset_password_email_body { "Click here to reset your password: #{reset_password_email_link}" }
+
+    # ==> Flash
+    # Match flash keys with ones already used in the Rails app.
+    # flash_notice_key :success # default is :notice
+    # flash_error_key :error # default is :alert
+
+    # Override default flash messages.
+    # create_account_notice_flash "Your account has been created. Please verify your account by visiting the confirmation link sent to your email address."
+    # login_error_flash "Login is required for accessing this page"
+    # login_notice_flash nil
+
+    # ==> Validation
+    # Override default validation error messages.
+    # no_matching_login_message "user with this email address doesn't exist"
+    # already_an_account_with_this_login_message "user with this email address already exists"
+    # password_too_short_message { "needs to have at least #{password_minimum_length} characters" }
+    # login_does_not_meet_requirements_message { "invalid email#{", #{login_requirement_message}" if login_requirement_message}" }
+
+    # Change minimum number of password characters required when creating an account.
+    # password_minimum_length 8
+
+    # ==> Remember Feature
+    # Remember all logged in users.
+    after_login { remember_login }
+
+    # Or only remember users that have ticked a "Remember Me" checkbox on login.
+    # after_login { remember_login if param_or_nil("remember") }
+
+    # Extend user's remember period when remembered via a cookie
+    extend_remember_deadline? true
+
+    # Consider remembered users to be multifactor-authenticated (if using MFA).
+    # after_load_memory { two_factor_update_session("totp") if two_factor_authentication_setup? }
+
+    # ==> Hooks
+    # Validate custom fields in the create account form.
+    # before_create_account do
+    #   throw_error_status(422, "name", "must be present") if param("name").empty?
+    # end
+
+    # Perform additional actions after the account is created.
+    # after_create_account do
+    #   Profile.create!(account_id: account[:id], name: param("name"))
+    # end
+
+    # Do additional cleanup after the account is closed.
+    # after_close_account do
+    #   Profile.find_by!(account_id: account[:id]).destroy
+    # end
+
+    # ==> Redirects
+    # Redirect to home page after logout.
+    logout_redirect "/"
+
+    # Redirect to wherever login redirects to after account verification.
+    verify_account_redirect { login_redirect }
+
+    # Redirect to login page after password reset.
+    reset_password_redirect { login_path }
+
+    # ==> Deadlines
+    # Change default deadlines for some actions.
+    # verify_account_grace_period 3.days
+    # reset_password_deadline_interval Hash[hours: 6]
+    # verify_login_change_deadline_interval Hash[days: 2]
+    # remember_deadline_interval Hash[days: 30]
+
+    # ==> Extending
+    # Define any additional methods you want for the Rodauth object.
+    # auth_class_eval do
+    #   def my_send_email(name, *args)
+    #     AuthenticationMailer.public_send(name, *args).deliver_later
+    #   end
+    # end
+    #
+    # Then use the new custom method in configuration blocks.
+    # send_password_reset_email do
+    #   my_send_email(:password_reset, email_to, password_reset_email_link)
+    # end
+  end
+
+  # ==> Multiple configurations
+  # configure(:admin) do
+  #   enable :http_basic_auth
+  #
+  #   prefix "/admin"
+  #   session_key :admin_id
+  # end
+
+  route do |r|
+    rodauth.load_memory # autologin remembered users
+
+    r.rodauth # route rodauth requests
+
+    # ==> Authenticating Requests
+    # Call `rodauth.require_authentication` for requests that you want to
+    # require authentication for. Some examples:
+    #
+    # next if r.path.start_with?("/docs") # skip authentication for documentation pages
+    # next if session[:admin] # skip authentication for admins
+    #
+    # # authenticate /dashboard/* and /account/* requests
+    # if r.path.start_with?("/dashboard") || r.path.start_with?("/account")
+    #   rodauth.require_authentication
+    # end
+
+    # ==> Multiple configurations
+    # r.on "admin" do
+    #   r.rodauth(:admin)
+    #
+    #   unless rodauth(:admin).logged_in?
+    #     rodauth(:admin).require_http_basic_auth
+    #   end
+    # end
+  end
+end

data/lib/generators/rodauth/views_generator.rb

@@ -0,0 +1,123 @@
+require "rails/generators/base"
+require "rodauth/version"
+
+module Rodauth
+  module Rails
+    module Generators
+      class ViewsGenerator < ::Rails::Generators::Base
+        source_root "#{__dir__}/templates"
+        namespace "rodauth:views"
+
+        VIEWS = {
+          login: %w[
+            _field _field_error _login_field _login_display _password_field
+            _submit _login_form _login_form_footer _login_form_header login
+            multi_phase_login
+          ],
+          create_account: %w[
+            _field _field_error _login_field _login_confirm_field
+            _password_field _password_confirm_field _submit create_account
+          ],
+          logout: %w[
+            _submit logout
+          ],
+          reset_password: %w[
+            _field _field_error _login_field _login_hidden_field
+            _password_field _password_confirm_field _submit
+            reset_password_request reset_password
+          ],
+          remember: %w[
+            _submit remember
+          ],
+          change_login: %w[
+            _field _field_error _login_field _login_confirm_field
+            _password_field _submit change_login
+          ],
+          change_password: %w[
+            _field _field_error _password_field _new_password_field
+            _password_confirm_field _submit change_password
+          ],
+          close_account: %w[
+            _field _field_error _password_field _submit close_account
+          ],
+          email_auth: %w[
+            _login_hidden_field _submit _email_auth_request_form email_auth
+          ],
+          verify_account: %w[
+            _field _field_error _login_hidden_field _login_field _submit
+            verify_account_resend verify_account
+          ],
+          lockout: %w[
+            _login_hidden_field _submit unlock_account_request unlock_account
+          ],
+          active_sessions: %w[
+            _global_logout_field
+          ],
+          two_factor_base: %w[
+            _field _field_error _password_field _submit
+            two_factor_manage two_factor_auth two_factor_disable
+          ],
+          otp: %w[
+            _field _field_error _otp_auth_code_field _password_field _submit
+            otp_setup otp_auth otp_disable
+          ],
+          sms_codes: %w[
+            _field _field_error _sms_code_field _sms_phone_field
+            _password_field _submit
+            sms_setup sms_confirm sms_auth sms_request sms_disable
+          ],
+          recovery_codes: %w[
+            _field _field_error _recovery_code_field _recovery_codes_form
+            recovery_codes add_recovery_codes recovery_auth
+          ],
+          webauthn: %w[
+            _field _field_error _login_hidden_field _password_field _submit
+            webauthn_setup webauthn_auth webauthn_remove
+          ]
+        }
+
+        DEPENDENCIES = {
+          active_sessions: :logout,
+          otp:             :two_factor_base,
+          sms_codes:       :two_factor_base,
+          recovery_codes:  :two_factor_base,
+          webauthn:        :two_factor_base,
+        }
+
+        class_option :features, type: :array,
+          desc: "Rodauth features to generate views for (login, create_account, reset_password, verify_account etc.)",
+          default: %w[login logout create_account verify_account reset_password change_password change_login verify_login_change close_account]
+
+        class_option :all, aliases: "-a", type: :boolean,
+          desc: "Generates views for all Rodauth features",
+          default: false
+
+        class_option :directory, aliases: "-d", type: :string,
+          desc: "The directory under app/views/* into which to create views",
+          default: "rodauth"
+
+        def create_views
+          features = options[:all] ? VIEWS.keys : options[:features].map(&:to_sym)
+
+          views = features.inject([]) do |list, feature|
+            list |= VIEWS[feature] || []
+            list |= VIEWS[DEPENDENCIES[feature]] || []
+          end
+
+          if Rodauth::MAJOR == 1
+            views -= %w[
+              multi_phase_login _global_logout_field
+              two_factor_manage two_factor_auth two_factor_disable
+              webauthn_setup webauthn_auth webauthn_remove
+            ]
+          end
+
+          views.each do |view|
+            template "app/views/rodauth/#{view}.html.erb",
+              "app/views/#{options[:directory].underscore}/#{view}.html.erb"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/rails.rb

@@ -0,0 +1 @@
+require "rodauth/rails/feature"

data/lib/rodauth/rails/app/flash.rb

@@ -0,0 +1,50 @@
+module Rodauth
+  module Rails
+    class App
+      # Sets up Rails' flash integration.
+      module Flash
+        def self.load_dependencies(app)
+          app.plugin :hooks
+        end
+
+        def self.configure(app)
+          app.before { request.flash }        # load flash
+          app.after  { request.commit_flash } # save flash
+        end
+
+        module InstanceMethods
+          def flash
+            request.flash
+          end
+        end
+
+        module RequestMethods
+          # If the redirect would bubble up outside of the Roda app, the after
+          # hook would never get called, so we make sure to commit the flash.
+          def redirect(*)
+            commit_flash
+            super
+          end
+
+          def flash
+            rails_request.flash
+          end
+
+          def commit_flash
+            if ActionPack.version >= Gem::Version.new("5.0.0")
+              rails_request.commit_flash
+            else
+              # ActionPack 4.2 automatically commits flash
+            end
+          end
+
+          private
+
+          def rails_request
+            ActionDispatch::Request.new(env)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/app.rb

@@ -0,0 +1,45 @@
+require "roda"
+
+module Rodauth
+  module Rails
+    # The superclass for creating a Rodauth middleware.
+    class App < Roda
+      require "rodauth/rails/app/flash"
+
+      plugin :middleware
+      plugin :hooks
+      plugin :render, layout: false
+
+      plugin Flash
+
+      def self.configure(name = nil, **options, &block)
+        plugin :rodauth, name: name, csrf: false, flash: false, **options do
+          # load the Rails integration
+          enable :rails
+
+          # database functions are more complex to set up, so disable them by default
+          use_database_authentication_functions? false
+
+          # avoid having to set deadline values in column default values
+          set_deadline_values? true
+
+          # use HMACs for additional security
+          hmac_secret { ::Rails.application.secrets.secret_key_base }
+
+          # evaluate user configuration
+          instance_exec(&block)
+        end
+      end
+
+      before do
+        (opts[:rodauths] || {}).each do |name, _|
+          if name
+            env["rodauth.#{name}"] = rodauth(name)
+          else
+            env["rodauth"] = rodauth
+          end
+        end
+      end
+    end
+  end
+end