rodauth-rails 0.11.0 → 0.15.0

data/lib/generators/rodauth/templates/app/views/rodauth/sms_setup.html.erb

@@ -1,5 +1,5 @@
-<%%= form_tag rodauth.sms_setup_path, method: :post do %>
-  <%%= render "password_field" if rodauth.two_factor_modifications_require_password? %>
+<%%= form_tag <%= rodauth %>.sms_setup_path, method: :post do %>
+  <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
   <%%= render "sms_phone_field" %>
   <%%= render "submit", value: "Setup SMS Backup Number" %>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/two_factor_auth.html.erb

@@ -1,5 +1,5 @@
 <ul>
-  <%% rodauth.two_factor_auth_links.sort.each do |_, link, text| %>
+  <%% <%= rodauth %>.two_factor_auth_links.sort.each do |_, link, text| %>
     <li><%%= link_to text, link %></li>
   <%% end %>
 </ul>

data/lib/generators/rodauth/templates/app/views/rodauth/two_factor_disable.html.erb

@@ -1,4 +1,4 @@
-<%%= form_tag rodauth.two_factor_disable_path, method: :post do %>
-  <%%= render "password_field" if rodauth.two_factor_modifications_require_password? %>
+<%%= form_tag <%= rodauth %>.two_factor_disable_path, method: :post do %>
+  <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
   <%%= render "submit", value: "Remove All Multifactor Authentication Methods" %>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/two_factor_manage.html.erb

@@ -1,22 +1,22 @@
-<%% if rodauth.two_factor_setup_links.any? %>
+<%% if <%= rodauth %>.two_factor_setup_links.any? %>
   <h2>Setup Multifactor Authentication</h2>
 
   <ul>
-    <%% rodauth.two_factor_setup_links.sort.each do |_, link, text| %>
+    <%% <%= rodauth %>.two_factor_setup_links.sort.each do |_, link, text| %>
       <li><%%= link_to text, link %></li>
     <%% end %>
   </ul>
 <%% end %>
 
-<%% if rodauth.two_factor_remove_links.any? %>
+<%% if <%= rodauth %>.two_factor_remove_links.any? %>
   <h2>Remove Multifactor Authentication</h2>
 
   <ul>
-    <%% rodauth.two_factor_remove_links.sort.each do |_, link, text| %>
+    <%% <%= rodauth %>.two_factor_remove_links.sort.each do |_, link, text| %>
       <li><%%= link_to text, link %></li>
     <%% end %>
-    <%% if rodauth.two_factor_remove_links.length > 1 %>
-      <li><%%= link_to "Remove All Multifactor Authentication Methods", rodauth.two_factor_disable_path %></li>
+    <%% if <%= rodauth %>.two_factor_remove_links.length > 1 %>
+      <li><%%= link_to "Remove All Multifactor Authentication Methods", <%= rodauth %>.two_factor_disable_path %></li>
     <%% end %>
   </ul>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/unlock_account.html.erb

@@ -1,5 +1,5 @@
-<%%= form_tag rodauth.unlock_account_path, method: :post do %>
+<%%= form_tag <%= rodauth %>.unlock_account_path, method: :post do %>
   <p>This account is currently locked out.  You can unlock the account:</p>
-  <%%= render "password_field" if rodauth.unlock_account_requires_password? %>
+  <%%= render "password_field" if <%= rodauth %>.unlock_account_requires_password? %>
   <%%= render "submit", value: "Unlock Account" %>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/unlock_account_request.html.erb

@@ -1,4 +1,4 @@
-<%%= form_tag rodauth.unlock_account_request_path, method: :post do %>
+<%%= form_tag <%= rodauth %>.unlock_account_request_path, method: :post do %>
   <p>This account is currently locked out.  You can request that the account be unlocked:</p>
   <%%= render "login_hidden_field" %>
   <%%= render "submit", value: "Request Account Unlock" %>

data/lib/generators/rodauth/templates/app/views/rodauth/verify_account.html.erb

@@ -1,5 +1,5 @@
-<%%= form_tag rodauth.verify_account_path, method: :post do %>
-  <%%= render "password_field" if rodauth.verify_account_set_password? %>
-  <%%= render "password_confirm_field" if rodauth.verify_account_set_password? && rodauth.require_password_confirmation? %>
+<%%= form_tag <%= rodauth %>.verify_account_path, method: :post do %>
+  <%%= render "password_field" if <%= rodauth %>.verify_account_set_password? %>
+  <%%= render "password_confirm_field" if <%= rodauth %>.verify_account_set_password? && <%= rodauth %>.require_password_confirmation? %>
   <%%= render "submit", value: "Verify Account" %>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/verify_account_resend.html.erb

@@ -1,6 +1,6 @@
-<%%= form_tag rodauth.verify_account_resend_path, method: :post do %>
+<%%= form_tag <%= rodauth %>.verify_account_resend_path, method: :post do %>
   <p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>
-  <%% if params[rodauth.login_param] %>
+  <%% if params[<%= rodauth %>.login_param] %>
     <%%= render "login_hidden_field" %>
   <%% else %>
     <%%= render "login_field" %>

data/lib/generators/rodauth/templates/app/views/rodauth/verify_login_change.html.erb

@@ -1,3 +1,3 @@
-<%%= form_tag rodauth.verify_login_change_path, method: :post do %>
+<%%= form_tag <%= rodauth %>.verify_login_change_path, method: :post do %>
   <%%= render "submit", value: "Verify Login Change" %>
 <%% end %>

data/lib/generators/rodauth/templates/app/views/rodauth/webauthn_auth.html.erb

@@ -1,13 +1,13 @@
-<%% cred = rodauth.webauth_credential_options_for_get %>
+<%% cred = <%= rodauth %>.webauth_credential_options_for_get %>
 
-<%%= form_tag rodauth.webauthn_auth_form_path, method: :post, id: "webauthn-auth-form", data: { credential_options: cred.as_json.to_json } do %>
-  <%%= render "login_hidden_field" if params[rodauth.login_param] %>
-  <%%= hidden_field_tag rodauth.webauthn_auth_challenge_param, cred.challenge %>
-  <%%= hidden_field_tag rodauth.webauthn_auth_challenge_hmac_param, rodauth.compute_hmac(cred.challenge) %>
-  <%%= text_field_tag rodauth.webauthn_auth_param, "", id: "webauthn-auth", aria: { hidden: "true" } %>
+<%%= form_tag <%= rodauth %>.webauthn_auth_form_path, method: :post, id: "webauthn-auth-form", data: { credential_options: cred.as_json.to_json } do %>
+  <%%= render "login_hidden_field" if params[<%= rodauth %>.login_param] %>
+  <%%= hidden_field_tag <%= rodauth %>.webauthn_auth_challenge_param, cred.challenge %>
+  <%%= hidden_field_tag <%= rodauth %>.webauthn_auth_challenge_hmac_param, <%= rodauth %>.compute_hmac(cred.challenge) %>
+  <%%= text_field_tag <%= rodauth %>.webauthn_auth_param, "", id: "webauthn-auth", aria: { hidden: "true" } %>
   <div id="webauthn-auth-button">
     <%%= render "submit", value: "Authenticate Using WebAuthn" %>
   </div>
 <%% end %>
 
-<%%= javascript_include_tag rodauth.webauthn_auth_js_path %>
+<%%= javascript_include_tag <%= rodauth %>.webauthn_auth_js_path %>

data/lib/generators/rodauth/templates/app/views/rodauth/webauthn_remove.html.erb

@@ -1,11 +1,11 @@
-<%%= form_tag rodauth.webauthn_remove_path, method: :post, id: "webauthn-remove-form" do %>
-  <%%= render "password_field" if rodauth.two_factor_modifications_require_password? %>
-  <fieldset class="form-group">
-    <%% (usage = rodauth.account_webauthn_usage).each do |id, last_use| %>
+<%%= form_tag <%= rodauth %>.webauthn_remove_path, method: :post, id: "webauthn-remove-form" do %>
+  <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
+  <fieldset class="form-group mb-3">
+    <%% (usage = <%= rodauth %>.account_webauthn_usage).each do |id, last_use| %>
       <div class="form-check">
-        <%%= render "field", name: rodauth.webauthn_remove_param, id: "webauthn-remove-#{id}", type: :radio, class: "form-check-input", skip_error_message: true, value: id, required: false %>
+        <%%= render "field", name: <%= rodauth %>.webauthn_remove_param, id: "webauthn-remove-#{id}", type: :radio, class: "form-check-input", skip_error_message: true, value: id, required: false %>
         <%%= label_tag "webauthn-remove-#{id}", "Last use: #{last_use}", class: "form-check-label" %>
-        <%%= render "field_error", name: rodauth.webauthn_remove_param if id == usage.keys.last %>
+        <%%= render "field_error", name: <%= rodauth %>.webauthn_remove_param if id == usage.keys.last %>
       </div>
     <%% end %>
   </fieldset>

data/lib/generators/rodauth/templates/app/views/rodauth/webauthn_setup.html.erb

@@ -1,13 +1,13 @@
-<%% cred = rodauth.new_webauthn_credential %>
+<%% cred = <%= rodauth %>.new_webauthn_credential %>
 
-<%%= form_tag rodauth.webauthn_setup_path, method: :post, id: "webauthn-setup-form", data: { credential_options: cred.as_json.to_json } do %>
-  <%%= hidden_field_tag rodauth.webauthn_setup_challenge_param, cred.challenge %>
-  <%%= hidden_field_tag rodauth.webauthn_setup_challenge_hmac_param, rodauth.compute_hmac(cred.challenge) %>
-  <%%= text_field_tag rodauth.webauthn_setup_param, "", id: "webauthn-setup", aria: { hidden: "true" } %>
-  <%%= render "password_field" if rodauth.two_factor_modifications_require_password? %>
+<%%= form_tag <%= rodauth %>.webauthn_setup_path, method: :post, id: "webauthn-setup-form", data: { credential_options: cred.as_json.to_json } do %>
+  <%%= hidden_field_tag <%= rodauth %>.webauthn_setup_challenge_param, cred.challenge %>
+  <%%= hidden_field_tag <%= rodauth %>.webauthn_setup_challenge_hmac_param, <%= rodauth %>.compute_hmac(cred.challenge) %>
+  <%%= text_field_tag <%= rodauth %>.webauthn_setup_param, "", id: "webauthn-setup", aria: { hidden: "true" } %>
+  <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
   <div id="webauthn-setup-button"> 
     <%%= render "submit", value: "Setup WebAuthn Authentication" %>
   </div>
 <%% end %>
 
-<%%= javascript_include_tag rodauth.webauthn_setup_js_path %>
+<%%= javascript_include_tag <%= rodauth %>.webauthn_setup_js_path %>

data/lib/generators/rodauth/views_generator.rb

@@ -18,9 +18,9 @@ module Rodauth
           desc: "Generates views for all Rodauth features",
           default: false
 
-        class_option :directory, aliases: "-d", type: :string,
-          desc: "The directory under app/views/* into which to create views",
-          default: "rodauth"
+        class_option :name, aliases: "-n", type: :string,
+          desc: "The configuration name for which to generate views",
+          default: nil
 
         VIEWS = {
           login: %w[
@@ -112,9 +112,31 @@ module Rodauth
 
           views.each do |view|
             template "app/views/rodauth/#{view}.html.erb",
-              "app/views/#{options[:directory].underscore}/#{view}.html.erb"
+              "app/views/#{directory}/#{view}.html.erb"
           end
         end
+
+        def directory
+          if controller.abstract?
+            fail Error, "no controller configured for configuration: #{configuration_name.inspect}"
+          end
+
+          controller.controller_path
+        end
+
+        def rodauth
+          "rodauth#{"(:#{configuration_name})" if configuration_name}"
+        end
+
+        def controller
+          rodauth = Rodauth::Rails.app.rodauth(configuration_name)
+          fail ArgumentError, "unknown rodauth configuration: #{configuration_name.inspect}" unless rodauth
+          rodauth.allocate.rails_controller
+        end
+
+        def configuration_name
+          options[:name]&.to_sym
+        end
       end
     end
   end

data/lib/rodauth/rails.rb

@@ -9,28 +9,47 @@ module Rodauth
     # This allows the developer to avoid loading Rodauth at boot time.
     autoload :App, "rodauth/rails/app"
     autoload :Auth, "rodauth/rails/auth"
+    autoload :Model, "rodauth/rails/model"
 
     @app = nil
     @middleware = true
 
+    LOCK = Mutex.new
+
     class << self
-      def rodauth(name = nil)
-        url_options = ActionMailer::Base.default_url_options
+      def rodauth(name = nil, query: nil, form: nil, account: nil, **options)
+        auth_class = app.rodauth(name)
+
+        unless auth_class
+          fail ArgumentError, "undefined rodauth configuration: #{name.inspect}"
+        end
+
+        LOCK.synchronize do
+          unless auth_class.features.include?(:internal_request)
+            auth_class.configure { enable :internal_request }
+            warn "Rodauth::Rails.rodauth requires the internal_request feature to be enabled. For now it was enabled automatically, but this behaviour will be removed in version 1.0."
+          end
+        end
 
-        scheme   = url_options[:protocol] || "http"
-        port     = url_options[:port]
-        port   ||= Rack::Request::DEFAULT_PORTS[scheme] if Gem::Version.new(Rack.release) < Gem::Version.new("2.0")
-        host     = url_options[:host]
-        host    += ":#{port}" if port
+        if query || form
+          warn "The :query and :form keyword arguments for Rodauth::Rails.rodauth have been deprecated. Please use the :params argument supported by internal_request feature instead."
+          options[:params] = query || form
+        end
 
-        rack_env = {
-          "HTTP_HOST"       => host,
-          "rack.url_scheme" => scheme,
-        }
+        if account
+          options[:account_id] = account.id
+        end
 
-        scope = app.new(rack_env)
+        instance = auth_class.internal_request_eval(options) do
+          @account = account.attributes.symbolize_keys if account
+          self
+        end
+
+        instance
+      end
 
-        scope.rodauth(name)
+      def model(name = nil, **options)
+        Rodauth::Rails::Model.new(app.rodauth(name), **options)
       end
 
       # routing constraint that requires authentication

data/lib/rodauth/rails/auth.rb

@@ -6,20 +6,17 @@ module Rodauth
     # Base auth class that applies some default configuration and supports
     # multi-level inheritance.
     class Auth < Rodauth::Auth
-      class << self
-        attr_writer :features
-        attr_writer :routes
-        attr_accessor :configuration
-      end
-
       def self.inherited(auth_class)
         super
-        auth_class.roda_class = Rodauth::Rails.app
-        auth_class.features = features.dup
-        auth_class.routes = routes.dup
-        auth_class.route_hash = route_hash.dup
-        auth_class.configuration = configuration.clone
-        auth_class.configuration.instance_variable_set(:@auth, auth_class)
+        superclass = self
+        auth_class.class_eval do
+          @roda_class = Rodauth::Rails.app
+          @features = superclass.features.clone
+          @routes = superclass.routes.clone
+          @route_hash = superclass.route_hash.clone
+          @configuration = superclass.instance_variable_get(:@configuration).clone
+          @configuration.instance_variable_set(:@auth, self)
+        end
       end
 
       # apply default configuration

data/lib/rodauth/rails/feature.rb

@@ -1,234 +1,23 @@
 module Rodauth
   Feature.define(:rails) do
-    depends :email_base
-
-    # List of overridable methods.
-    auth_methods(
-      :rails_render,
-      :rails_csrf_tag,
-      :rails_csrf_param,
-      :rails_csrf_token,
-      :rails_check_csrf!,
-      :rails_controller,
-    )
-
-    auth_cached_method :rails_controller_instance
-
-    # Renders templates with layout. First tries to render a user-defined
-    # template, otherwise falls back to Rodauth's template.
-    def view(page, *)
-      rails_render(action: page.tr("-", "_"), layout: true) ||
-        rails_render(html: super.html_safe, layout: true)
-    end
-
-    # Renders templates without layout. First tries to render a user-defined
-    # template or partial, otherwise falls back to Rodauth's template.
-    def render(page)
-      rails_render(partial: page.tr("-", "_"), layout: false) ||
-        rails_render(action: page.tr("-", "_"), layout: false) ||
-        super.html_safe
-    end
-
-    # Render Rails CSRF tags in Rodauth templates.
-    def csrf_tag(*)
-      rails_csrf_tag
-    end
-
-    # Verify Rails' authenticity token.
-    def check_csrf
-      rails_check_csrf!
-    end
-
-    # Have Rodauth call #check_csrf automatically.
-    def check_csrf?
-      true
-    end
-
-    # Reset Rails session to protect from session fixation attacks.
-    def clear_session
-      rails_controller_instance.reset_session
-    end
-
-    # Default the flash error key to Rails' default :alert.
-    def flash_error_key
-      :alert
-    end
-
-    # Evaluates the block in context of a Rodauth controller instance.
-    def rails_controller_eval(&block)
-      rails_controller_instance.instance_exec(&block)
-    end
-
-    def button(*)
-      super.html_safe
-    end
-
-    delegate :rails_routes, :rails_request, to: :scope
-
-    private
-
-    # Runs controller callbacks and rescue handlers around Rodauth actions.
-    def _around_rodauth(&block)
-      result = nil
-
-      rails_instrument_request do
-        rails_controller_rescue do
-          rails_controller_callbacks do
-            result = catch(:halt) { super(&block) }
-          end
-        end
-
-        result = handle_rails_controller_response(result)
-      end
-
-      throw :halt, result if result
-    end
-
-    # Handles controller rendering a response or setting response headers.
-    def handle_rails_controller_response(result)
-      if rails_controller_instance.performed?
-        rails_controller_response
-      elsif result
-        result[1].merge!(rails_controller_instance.response.headers)
-        result
-      end
-    end
-
-    # Runs any #(before|around|after)_action controller callbacks.
-    def rails_controller_callbacks
-      # don't verify CSRF token as part of callbacks, Rodauth will do that
-      rails_controller_forgery_protection { false }
-
-      rails_controller_instance.run_callbacks(:process_action) do
-        # turn the setting back to default so that form tags generate CSRF tags
-        rails_controller_forgery_protection { rails_controller.allow_forgery_protection }
-
-        yield
-      end
-    end
-
-    # Runs any registered #rescue_from controller handlers.
-    def rails_controller_rescue
-      yield
-    rescue Exception => exception
-      rails_controller_instance.rescue_with_handler(exception) || raise
-
-      unless rails_controller_instance.performed?
-        raise Rodauth::Rails::Error, "rescue_from handler didn't write any response"
-      end
-    end
-
-    def rails_instrument_request
-      ActiveSupport::Notifications.instrument("start_processing.rodauth", rodauth: self)
-      ActiveSupport::Notifications.instrument("process_request.rodauth", rodauth: self) do |payload|
-        begin
-          status, headers, body = yield
-          payload[:status] = status || 404
-          payload[:headers] = headers
-          payload[:body] = body
-        ensure
-          rails_controller_instance.send(:append_info_to_payload, payload)
-        end
-      end
-    end
-
-    # Returns Roda response from controller response if set.
-    def rails_controller_response
-      controller_response = rails_controller_instance.response
-
-      response.status = controller_response.status
-      response.headers.merge! controller_response.headers
-      response.write controller_response.body
-
-      response.finish
-    end
-
-    # Create emails with ActionMailer which uses configured delivery method.
-    def create_email_to(to, subject, body)
-      Mailer.create_email(to: to, from: email_from, subject: "#{email_subject_prefix}#{subject}", body: body)
-    end
-
-    # Delivers the given email.
-    def send_email(email)
-      email.deliver_now
-    end
-
-    # Calls the Rails renderer, returning nil if a template is missing.
-    def rails_render(*args)
-      return if rails_api_controller?
-
-      rails_controller_instance.render_to_string(*args)
-    rescue ActionView::MissingTemplate
-      nil
-    end
-
-    # Calls the controller to verify the authenticity token.
-    def rails_check_csrf!
-      rails_controller_instance.send(:verify_authenticity_token)
-    end
-
-    # Hidden tag with Rails CSRF token inserted into Rodauth templates.
-    def rails_csrf_tag
-      %(<input type="hidden" name="#{rails_csrf_param}" value="#{rails_csrf_token}">)
-    end
-
-    # The request parameter under which to send the Rails CSRF token.
-    def rails_csrf_param
-      rails_controller.request_forgery_protection_token
-    end
-
-    # The Rails CSRF token value inserted into Rodauth templates.
-    def rails_csrf_token
-      rails_controller_instance.send(:form_authenticity_token)
-    end
-
-    # allows/disables forgery protection
-    def rails_controller_forgery_protection(&value)
-      return if rails_api_controller?
-
-      rails_controller_instance.allow_forgery_protection = value.call
-    end
-
-    # Instances of the configured controller with current request's env hash.
-    def _rails_controller_instance
-      controller = rails_controller.new
-      prepare_rails_controller(controller, rails_request)
-      controller
-    end
-
-    if ActionPack.version >= Gem::Version.new("5.0")
-      def prepare_rails_controller(controller, rails_request)
-        controller.set_request! rails_request
-        controller.set_response! rails_controller.make_response!(rails_request)
-      end
-    else
-      def prepare_rails_controller(controller, rails_request)
-        controller.send(:set_response!, rails_request)
-        controller.instance_variable_set(:@_request, rails_request)
-      end
-    end
-
-    def rails_api_controller?
-      defined?(ActionController::API) && rails_controller <= ActionController::API
-    end
-
-    def rails_controller
-      if only_json? && Rodauth::Rails.api_only?
-        ActionController::API
-      else
-        ActionController::Base
-      end
-    end
-
-    # ActionMailer subclass for correct email delivering.
-    class Mailer < ActionMailer::Base
-      def create_email(**options)
-        mail(**options)
-      end
-    end
+    # Assign feature and feature configuration to constants for introspection.
+    Rodauth::Rails::Feature              = self
+    Rodauth::Rails::FeatureConfiguration = self.configuration
+
+    require "rodauth/rails/feature/base"
+    require "rodauth/rails/feature/callbacks"
+    require "rodauth/rails/feature/csrf"
+    require "rodauth/rails/feature/render"
+    require "rodauth/rails/feature/email"
+    require "rodauth/rails/feature/instrumentation"
+    require "rodauth/rails/feature/internal_request"
+
+    include Rodauth::Rails::Feature::Base
+    include Rodauth::Rails::Feature::Callbacks
+    include Rodauth::Rails::Feature::Csrf
+    include Rodauth::Rails::Feature::Render
+    include Rodauth::Rails::Feature::Email
+    include Rodauth::Rails::Feature::Instrumentation
+    include Rodauth::Rails::Feature::InternalRequest
   end
-
-  # Assign feature and feature configuration to constants for introspection.
-  Rails::Feature              = FEATURES[:rails]
-  Rails::FeatureConfiguration = FEATURES[:rails].configuration
 end