rodauth-rails 0.11.0 → 0.15.0

data/lib/rodauth/rails/feature/base.rb

@@ -0,0 +1,62 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Base
+        def self.included(feature)
+          feature.auth_methods :rails_controller
+          feature.auth_cached_method :rails_controller_instance
+        end
+
+        # Reset Rails session to protect from session fixation attacks.
+        def clear_session
+          rails_controller_instance.reset_session
+        end
+
+        # Default the flash error key to Rails' default :alert.
+        def flash_error_key
+          :alert
+        end
+
+        # Evaluates the block in context of a Rodauth controller instance.
+        def rails_controller_eval(&block)
+          rails_controller_instance.instance_exec(&block)
+        end
+
+        def rails_controller
+          if only_json? && Rodauth::Rails.api_only?
+            ActionController::API
+          else
+            ActionController::Base
+          end
+        end
+
+        delegate :rails_routes, :rails_request, to: :scope
+
+        private
+
+        # Instances of the configured controller with current request's env hash.
+        def _rails_controller_instance
+          controller = rails_controller.new
+          prepare_rails_controller(controller, rails_request)
+          controller
+        end
+
+        if ActionPack.version >= Gem::Version.new("5.0")
+          def prepare_rails_controller(controller, rails_request)
+            controller.set_request! rails_request
+            controller.set_response! rails_controller.make_response!(rails_request)
+          end
+        else
+          def prepare_rails_controller(controller, rails_request)
+            controller.send(:set_response!, rails_request)
+            controller.instance_variable_set(:@_request, rails_request)
+          end
+        end
+
+        def rails_api_controller?
+          defined?(ActionController::API) && rails_controller <= ActionController::API
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/callbacks.rb

@@ -0,0 +1,65 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Callbacks
+        private
+
+        def _around_rodauth
+          rails_controller_around { super }
+        end
+
+        # Runs controller callbacks and rescue handlers around Rodauth actions.
+        def rails_controller_around
+          result = nil
+
+          rails_controller_rescue do
+            rails_controller_callbacks do
+              result = catch(:halt) { yield }
+            end
+          end
+
+          result = handle_rails_controller_response(result)
+
+          throw :halt, result if result
+        end
+
+        # Runs any #(before|around|after)_action controller callbacks.
+        def rails_controller_callbacks(&block)
+          rails_controller_instance.run_callbacks(:process_action, &block)
+        end
+
+        # Runs any registered #rescue_from controller handlers.
+        def rails_controller_rescue
+          yield
+        rescue Exception => exception
+          rails_controller_instance.rescue_with_handler(exception) || raise
+
+          unless rails_controller_instance.performed?
+            raise Rodauth::Rails::Error, "rescue_from handler didn't write any response"
+          end
+        end
+
+        # Handles controller rendering a response or setting response headers.
+        def handle_rails_controller_response(result)
+          if rails_controller_instance.performed?
+            rails_controller_response
+          elsif result
+            result[1].merge!(rails_controller_instance.response.headers)
+            result
+          end
+        end
+
+        # Returns Roda response from controller response if set.
+        def rails_controller_response
+          controller_response = rails_controller_instance.response
+
+          response.status = controller_response.status
+          response.headers.merge! controller_response.headers
+          response.write controller_response.body
+
+          response.finish
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/csrf.rb

@@ -0,0 +1,65 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Csrf
+        def self.included(feature)
+          feature.auth_methods(
+            :rails_csrf_tag,
+            :rails_csrf_param,
+            :rails_csrf_token,
+            :rails_check_csrf!,
+          )
+        end
+
+        # Render Rails CSRF tags in Rodauth templates.
+        def csrf_tag(*)
+          rails_csrf_tag
+        end
+
+        # Verify Rails' authenticity token.
+        def check_csrf
+          rails_check_csrf!
+        end
+
+        # Have Rodauth call #check_csrf automatically.
+        def check_csrf?
+          true
+        end
+
+        private
+
+        def rails_controller_callbacks
+          return super if rails_api_controller?
+
+          # don't verify CSRF token as part of callbacks, Rodauth will do that
+          rails_controller_instance.allow_forgery_protection = false
+          super do
+            # turn the setting back to default so that form tags generate CSRF tags
+            rails_controller_instance.allow_forgery_protection = rails_controller.allow_forgery_protection
+            yield
+          end
+        end
+
+        # Calls the controller to verify the authenticity token.
+        def rails_check_csrf!
+          rails_controller_instance.send(:verify_authenticity_token)
+        end
+
+        # Hidden tag with Rails CSRF token inserted into Rodauth templates.
+        def rails_csrf_tag
+          %(<input type="hidden" name="#{rails_csrf_param}" value="#{rails_csrf_token}">)
+        end
+
+        # The request parameter under which to send the Rails CSRF token.
+        def rails_csrf_param
+          rails_controller.request_forgery_protection_token
+        end
+
+        # The Rails CSRF token value inserted into Rodauth templates.
+        def rails_csrf_token
+          rails_controller_instance.send(:form_authenticity_token)
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/email.rb

@@ -0,0 +1,30 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Email
+        def self.included(feature)
+          feature.depends :email_base
+        end
+
+        private
+
+        # Create emails with ActionMailer which uses configured delivery method.
+        def create_email_to(to, subject, body)
+          Mailer.create_email(to: to, from: email_from, subject: "#{email_subject_prefix}#{subject}", body: body)
+        end
+
+        # Delivers the given email.
+        def send_email(email)
+          email.deliver_now
+        end
+
+        # ActionMailer subclass for correct email delivering.
+        class Mailer < ActionMailer::Base
+          def create_email(**options)
+            mail(**options)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/instrumentation.rb

@@ -0,0 +1,71 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Instrumentation
+        private
+
+        def _around_rodauth
+          rails_instrument_request { super }
+        end
+
+        def redirect(*)
+          rails_instrument_redirection { super }
+        end
+
+        def rails_render(*)
+          render_output = nil
+          rails_controller_instance.view_runtime = rails_controller_instance.send(:cleanup_view_runtime) do
+            Benchmark.ms { render_output = super }
+          end
+          render_output
+        end
+
+        def rails_instrument_request
+          request = rails_request
+
+          raw_payload = {
+            controller: scope.class.superclass.name,
+            action: "call",
+            request: request,
+            params: request.filtered_parameters,
+            headers: request.headers,
+            format: request.format.ref,
+            method: request.request_method,
+            path: request.fullpath
+          }
+
+          ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
+
+          ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
+            begin
+              result = catch(:halt) { yield }
+
+              response = ActionDispatch::Response.new *(result || [404, {}, []])
+              payload[:response] = response
+              payload[:status] = response.status
+
+              throw :halt, result if result
+            rescue => error
+              payload[:status] = ActionDispatch::ExceptionWrapper.status_code_for_exception(error.class.name)
+              raise
+            ensure
+              rails_controller_eval { append_info_to_payload(payload) }
+            end
+          end
+        end
+
+        def rails_instrument_redirection
+          ActiveSupport::Notifications.instrument("redirect_to.action_controller", request: rails_request) do |payload|
+            result = catch(:halt) { yield }
+
+            response = ActionDispatch::Response.new(*result)
+            payload[:status] = response.status
+            payload[:location] = response.filtered_location
+
+            throw :halt, result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/internal_request.rb

@@ -0,0 +1,50 @@
+module Rodauth
+  module Rails
+    module Feature
+      module InternalRequest
+        def post_configure
+          super
+          return unless internal_request?
+
+          self.class.define_singleton_method(:internal_request) do |route, opts = {}, &blk|
+            url_options = ::Rails.application.config.action_mailer.default_url_options || {}
+
+            scheme = url_options[:protocol]
+            port = url_options[:port]
+            port||= Rack::Request::DEFAULT_PORTS[scheme] if Rack.release < "2"
+            host = url_options[:host]
+            host_with_port = host && port ? "#{host}:#{port}" : host
+
+            env = {
+              "HTTP_HOST" => host_with_port,
+              "rack.url_scheme" => scheme,
+              "SERVER_NAME" => host,
+              "SERVER_PORT" => port,
+            }.compact
+
+            opts = opts.merge(env: env) { |k, v1, v2| v2.merge(v1) }
+
+            super(route, opts, &blk)
+          end
+        end
+
+        private
+
+        def rails_controller_around
+          return yield if internal_request?
+          super
+        end
+
+        def rails_instrument_request
+          return yield if internal_request?
+          super
+        end
+
+        def rails_instrument_redirection
+          return yield if internal_request?
+          super
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature/render.rb

@@ -0,0 +1,48 @@
+module Rodauth
+  module Rails
+    module Feature
+      module Render
+        def self.included(feature)
+          feature.auth_methods :rails_render
+        end
+
+        # Renders templates with layout. First tries to render a user-defined
+        # template, otherwise falls back to Rodauth's template.
+        def view(page, *)
+          rails_render(action: page.tr("-", "_"), layout: true) ||
+            rails_render(html: super.html_safe, layout: true)
+        end
+
+        # Renders templates without layout. First tries to render a user-defined
+        # template or partial, otherwise falls back to Rodauth's template.
+        def render(page)
+          rails_render(partial: page.tr("-", "_"), layout: false) ||
+            rails_render(action: page.tr("-", "_"), layout: false) ||
+            super.html_safe
+        end
+
+        def button(*)
+          super.html_safe
+        end
+
+        private
+
+        # Calls the Rails renderer, returning nil if a template is missing.
+        def rails_render(*args)
+          return if rails_api_controller?
+
+          rails_controller_instance.render_to_string(*args)
+        rescue ActionView::MissingTemplate
+          nil
+        end
+
+        # Only look up template formats that the current request is accepting.
+        def _rails_controller_instance
+          controller = super
+          controller.formats = rails_request.formats.map(&:ref).compact
+          controller
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/model.rb

@@ -0,0 +1,101 @@
+module Rodauth
+  module Rails
+    class Model < Module
+      require "rodauth/rails/model/associations"
+
+      def initialize(auth_class, association_options: {})
+        @auth_class = auth_class
+        @association_options = association_options
+
+        define_methods
+      end
+
+      def included(model)
+        fail Rodauth::Rails::Error, "must be an Active Record model" unless model < ActiveRecord::Base
+
+        define_associations(model)
+      end
+
+      private
+
+      def define_methods
+        rodauth = @auth_class.allocate.freeze
+
+        attr_reader :password
+
+        define_method(:password=) do |password|
+          @password = password
+          password_hash = rodauth.send(:password_hash, password) if password
+          set_password_hash(password_hash)
+        end
+
+        define_method(:set_password_hash) do |password_hash|
+          if rodauth.account_password_hash_column
+            public_send(:"#{rodauth.account_password_hash_column}=", password_hash)
+          else
+            if password_hash
+              record = self.password_hash || build_password_hash
+              record.public_send(:"#{rodauth.password_hash_column}=", password_hash)
+            else
+              self.password_hash&.mark_for_destruction
+            end
+          end
+        end
+      end
+
+      def define_associations(model)
+        define_password_hash_association(model) unless rodauth.account_password_hash_column
+
+        feature_associations.each do |association|
+          define_association(model, **association)
+        end
+      end
+
+      def define_password_hash_association(model)
+        password_hash_id_column = rodauth.password_hash_id_column
+        scope = -> { select(password_hash_id_column) } if rodauth.send(:use_database_authentication_functions?)
+
+        define_association model,
+          type: :has_one,
+          name: :password_hash,
+          table: rodauth.password_hash_table,
+          foreign_key: password_hash_id_column,
+          scope: scope,
+          autosave: true
+      end
+
+      def define_association(model, type:, name:, table:, foreign_key:, scope: nil, **options)
+        associated_model = Class.new(model.superclass)
+        associated_model.table_name = table
+        associated_model.belongs_to :account,
+          class_name: model.name,
+          foreign_key: foreign_key,
+          inverse_of: name
+
+        model.const_set(name.to_s.singularize.camelize, associated_model)
+
+        model.public_send type, name, scope,
+          class_name: associated_model.name,
+          foreign_key: foreign_key,
+          dependent: :destroy,
+          inverse_of: :account,
+          **options,
+          **association_options(name)
+      end
+
+      def feature_associations
+        Rodauth::Rails::Model::Associations.call(rodauth)
+      end
+
+      def association_options(name)
+        options = @association_options
+        options = options.call(name) if options.respond_to?(:call)
+        options || {}
+      end
+
+      def rodauth
+        @auth_class.allocate
+      end
+    end
+  end
+end