rodauth-rails 0.14.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d447d09fef8c29feb6240523286b8906049e85965f20a6410d1a475f913d9051
-  data.tar.gz: bca9b6eadec6b32f2193291c6922467a554105d290ffd7b34bc2606d62121926
+  metadata.gz: '097625662e9cefbf7484ea775c9b1930968fbbc3a1b8ad24df9e229e2194e301'
+  data.tar.gz: fbbfe9dd849646e859aecbf3c600168fc0b65255f7b2bf933a2e42591f8b0b79
 SHA512:
-  metadata.gz: 1f512f9fe9a3e22dcddf477d8906d1ea63a548241fd93b43bbcaf274ff39e0104e20f64c6a2836e5b243e812ffde654deae55a0beca69f4ba917cd5943da8a3c
-  data.tar.gz: dbbd99959dfd42134cd3374f1f9767cf3e8d49327c195d4c35c4ecf281d0c3dad52db76b7e2fbf030c9e3ea2131bfcb1b6a120cc4a310983d8db564e63b97cda
+  metadata.gz: 762d0c1725dcd0017cdd6722894e546dfdf246e245af688a8bc99f177e43765fe8bd7a79639e45d3146ca5bedadce9f34389f61bf3a6957b406cbc664cf93829
+  data.tar.gz: 8c6624c70668356b8434dde9bd237cced89f23d4d241b770989f1af68ee687b7186f305ada409885d619b9974e7d2d47b6fddc9faf6935653cab805ee8709167

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.15.0 (2021-07-29)
+
+* Add `Rodauth::Rails::Model` mixin that defines password attribute and associations on the model (@janko)
+
+* Add support for the new internal_request feature (@janko)
+
+* Implement `Rodauth::Rails.rodauth` in terms of the internal_request feature (@janko)
+
 ## 0.14.0 (2021-07-10)
 
 * Speed up template rendering by only searching formats accepted by the request (@janko)

data/README.md

@@ -49,7 +49,7 @@ For instructions on upgrading from previous rodauth-rails versions, see
 Add the gem to your Gemfile:
 
 ```rb
-gem "rodauth-rails", "~> 0.14"
+gem "rodauth-rails", "~> 0.15"
 
 # gem "jwt",      require: false # for JWT feature
 # gem "rotp",     require: false # for OTP feature
@@ -453,6 +453,130 @@ class CreateRodauthOtpSmsCodesRecoveryCodes < ActiveRecord::Migration
 end
 ```
 
+### Model
+
+The `Rodauth::Rails::Model` mixin can be included into the account model, which
+defines a password attribute and associations for tables used by enabled
+authentication features.
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model # or `Rodauth::Rails.model(:admin)`
+end
+```
+
+#### Password attribute
+
+Regardless of whether you're storing the password hash in a column in the
+accounts table, or in a separate table, the `#password` attribute can be used
+to set or clear the password hash.
+
+```rb
+account = Account.create!(email: "user@example.com", password: "secret")
+
+# when password hash is stored in a column on the accounts table
+account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
+
+# when password hash is stored in a separate table
+account.password_hash #=> #<Account::PasswordHash...> (record from `account_password_hashes` table)
+account.password_hash.password_hash #=> "$2a$12$k/Ub1..." (inaccessible when using database authentication functions)
+
+account.password = nil # clears password hash
+account.password_hash #=> nil
+```
+
+Note that the password attribute doesn't come with validations, making it
+unsuitable for forms. It was primarily intended to allow easily creating
+accounts in development console and in tests.
+
+#### Associations
+
+The `Rodauth::Rails::Model` mixin defines associations for Rodauth tables
+associated to the accounts table:
+
+```rb
+account.remember_key #=> #<Account::RememberKey> (record from `account_remember_keys` table)
+account.active_session_keys #=> [#<Account::ActiveSessionKey>,...] (records from `account_active_session_keys` table)
+```
+
+You can also reference the associated models directly:
+
+```rb
+# model referencing the `account_authentication_audit_logs` table
+Account::AuthenticationAuditLog.where(message: "login").group(:account_id)
+```
+
+The associated models define the inverse `belongs_to :account` association:
+
+```rb
+Account::ActiveSessionKey.includes(:account).map(&:account)
+```
+
+Here is an example of using associations to create a method that returns
+whether the account has multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  def mfa_enabled?
+    otp_key || (sms_code && sms_code.num_failures.nil?) || recovery_codes.any?
+  end
+end
+```
+
+Here is another example of creating a query scope that selects accounts with
+multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  scope :otp_setup, -> { where(otp_key: OtpKey.all) }
+  scope :sms_codes_setup, -> { where(sms_code: SmsCode.where(num_failures: nil)) }
+  scope :recovery_codes_setup, -> { where(recovery_codes: RecoveryCode.all) }
+  scope :mfa_enabled, -> { merge(otp_setup.or(sms_codes_setup).or(recovery_codes_setup)) }
+end
+```
+
+Below is a list of all associations defined depending on the features loaded:
+
+| Feature                 | Association                  | Type       | Model                    | Table (default)                     |
+| :------                 | :----------                  | :---       | :----                    | :----                               |
+| account_expiration      | `:activity_time`             | `has_one`  | `ActivityTime`           | `account_activity_times`            |
+| active_sessions         | `:active_session_keys`       | `has_many` | `ActiveSessionKey`       | `account_active_session_keys`       |
+| audit_logging           | `:authentication_audit_logs` | `has_many` | `AuthenticationAuditLog` | `account_authentication_audit_logs` |
+| disallow_password_reuse | `:previous_password_hashes`  | `has_many` | `PreviousPasswordHash`   | `account_previous_password_hashes`  |
+| email_auth              | `:email_auth_key`            | `has_one`  | `EmailAuthKey`           | `account_email_auth_keys`           |
+| jwt_refresh             | `:jwt_refresh_keys`          | `has_many` | `JwtRefreshKey`          | `account_jwt_refresh_keys`          |
+| lockout                 | `:lockout`                   | `has_one`  | `Lockout`                | `account_lockouts`                  |
+| lockout                 | `:login_failure`             | `has_one`  | `LoginFailure`           | `account_login_failures`            |
+| otp                     | `:otp_key`                   | `has_one`  | `OtpKey`                 | `account_otp_keys`                  |
+| password_expiration     | `:password_change_time`      | `has_one`  | `PasswordChangeTime`     | `account_password_change_times`     |
+| recovery_codes          | `:recovery_codes`            | `has_many` | `RecoveryCode`           | `account_recovery_codes`            |
+| remember                | `:remember_key`              | `has_one`  | `RememberKey`            | `account_remember_keys`             |
+| reset_password          | `:password_reset_key`        | `has_one`  | `PasswordResetKey`       | `account_password_reset_keys`       |
+| single_session          | `:session_key`               | `has_one`  | `SessionKey`             | `account_session_keys`              |
+| sms_codes               | `:sms_code`                  | `has_one`  | `SmsCode`                | `account_sms_codes`                 |
+| verify_account          | `:verification_key`          | `has_one`  | `VerificationKey`        | `account_verification_keys`         |
+| verify_login_change     | `:login_change_key`          | `has_one`  | `LoginChangeKey`         | `account_login_change_keys`         |
+| webauthn                | `:webauthn_keys`             | `has_many` | `WebauthnKey`            | `account_webauthn_keys`             |
+| webauthn                | `:webauthn_user_id`          | `has_one`  | `WebauthnUserId`         | `account_webauthn_user_ids`         |
+
+By default, all associations except for audit logs have `dependent: :destroy`
+set, to allow for easy deletion of account records in the console. You can use
+`:association_options` to modify global or per-association options:
+
+```rb
+# don't auto-delete associations when account model is deleted
+Rodauth::Rails.model(association_options: { dependent: nil })
+
+# require authentication audit logs to be eager loaded before retrieval
+Rodauth::Rails.model(association_options: -> (name) {
+  { strict_loading: true } if name == :authentication_audit_logs
+})
+```
+
 ### Multiple configurations
 
 If you need to handle multiple types of accounts that require different
@@ -656,37 +780,53 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-### Rodauth instance
+### Outside of a request
+
+In some cases you might need to use Rodauth more programmatically. If you would
+like to perform Rodauth operations outside of request context, Rodauth ships
+with the [internal_request] feature just for that. The rodauth-rails gem
+additionally updates the internal rack env hash with your
+`config.action_mailer.default_url_options`, which is used for generating URLs.
 
-In some cases you might need to use Rodauth more programmatically, and perform
-Rodauth operations outside of the request context. rodauth-rails gives you a
-helper method for building a Rodauth instance:
+If you need to access Rodauth methods not exposed as internal requests, you can
+use `Rodauth::Rails.rodauth` to retrieve the Rodauth instance used by the
+internal_request feature:
 
 ```rb
-rodauth = Rodauth::Rails.rodauth # or Rodauth::Rails.rodauth(:admin)
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    enable :internal_request # this is required
+  end
+end
+```
+```rb
+account = Account.find_by!(email: "user@example.com")
+rodauth = Rodauth::Rails.rodauth(account: account)
 
-rodauth.login_url #=> "https://example.com/login"
-rodauth.account_from_login("user@example.com") # loads user by email
-rodauth.password_match?("secret") #=> true
-rodauth.setup_account_verification
-rodauth.close_account
+rodauth.compute_hmac("token") #=> "TpEJTKfKwqYvIDKWsuZhkhKlhaBXtR1aodskBAflD8U"
+rodauth.open_account? #=> true
+rodauth.two_factor_authentication_setup? #=> true
+rodauth.password_meets_requirements?("foo") #=> false
+rodauth.locked_out? #=> false
 ```
 
-The base URL is taken from Action Mailer's `default_url_options` setting if
-configured. The `Rodauth::Rails.rodauth` method accepts additional keyword
-arguments:
+In addition to the `:account` option, the `Rodauth::Rails.rodauth`
+method accepts any options supported by the internal_request feature.
+
+```rb
+Rodauth::Rails.rodauth(
+  env: { "HTTP_USER_AGENT" => "programmatic" },
+  session: { two_factor_auth_setup: true },
+  params: { "param" => "value" }
+)
+```
 
-* `:account` – Active Record model instance from which to set `account` and `session[:account_id]`
-* `:query` & `:form` – set specific query/form parameters
-* `:session` – set any session values
-* `:env` – set any additional Rack env values
+Secondary Rodauth configurations are specified by passing the configuration
+name:
 
 ```rb
-Rodauth::Rails.rodauth(account: Account.find(account_id))
-Rodauth::Rails.rodauth(query: { "param" => "value" })
-Rodauth::Rails.rodauth(form: { "param" => "value" })
-Rodauth::Rails.rodauth(session: { two_factor_auth_setup: true })
-Rodauth::Rails.rodauth(env: { "HTTP_USER_AGENT" => "programmatic" })
+Rodauth::Rails.rodauth(:admin)
 ```
 
 ## How it works
@@ -825,21 +965,23 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-If you need Cross-Origin Resource Sharing and/or JWT refresh tokens, enable the
-corresponding Rodauth features and create the necessary tables:
+The JWT token will be returned after each request to Rodauth routes. To also
+return the JWT token on requests to your app's routes, you can add the
+following code to your base controller:
 
-```sh
-$ rails generate rodauth:migration jwt_refresh
-$ rails db:migrate
-```
 ```rb
-# app/lib/rodauth_app.rb
-class RodauthApp < Rodauth::Rails::App
-  configure do
-    # ...
-    enable :jwt, :jwt_cors, :jwt_refresh
-    # ...
+class ApplicationController < ActionController::Base
+  # ...
+  after_action :set_jwt_token
+
+  private
+
+  def set_jwt_token
+    if rodauth.use_jwt? && rodauth.valid_jwt?
+      response.headers["Authorization"] = rodauth.session_jwt
+    end
   end
+  # ...
 end
 ```
 
@@ -1147,29 +1289,6 @@ Rails.application.configure do |config|
 end
 ```
 
-If you need to create an account record with a password directly, you can do it
-as follows:
-
-```rb
-# app/models/account.rb
-class Account < ApplicationRecord
-  has_one :password_hash, foreign_key: :id
-end
-```
-```rb
-# app/models/account/password_hash.rb
-class Account::PasswordHash < ApplicationRecord
-  belongs_to :account, foreign_key: :id
-end
-```
-```rb
-require "bcrypt"
-
-account = Account.create!(email: "user@example.com", status: "verified")
-password_hash = BCrypt::Password.create("secret", cost: BCrypt::Engine::MIN_COST)
-account.create_password_hash!(id: account.id, password_hash: password_hash)
-```
-
 ## Rodauth defaults
 
 rodauth-rails changes some of the default Rodauth settings for easier setup:
@@ -1303,3 +1422,4 @@ conduct](https://github.com/janko/rodauth-rails/blob/master/CODE_OF_CONDUCT.md).
 [single_session]: http://rodauth.jeremyevans.net/rdoc/files/doc/single_session_rdoc.html
 [account_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html
 [simple_ldap_authenticator]: https://github.com/jeremyevans/simple_ldap_authenticator
+[internal_request]: http://rodauth.jeremyevans.net/rdoc/files/doc/internal_request_rdoc.html

data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb

@@ -154,7 +154,7 @@ class RodauthApp < Rodauth::Rails::App
 <% end -%>
   end
 
-  # ==> Multiple configurations
+  # ==> Secondary configurations
   # configure(:admin) do
   #   # ... enable features ...
   #   prefix "/admin"
@@ -163,11 +163,6 @@ class RodauthApp < Rodauth::Rails::App
   #
   #   # search views in `app/views/admin/rodauth` directory
   #   rails_controller { Admin::RodauthController }
-  #
-  #   # use separate tables (requires creating the new tables)
-  #   methods.grep(/_table$/) do |table_method|
-  #     public_send(table_method) { :"admin_#{super()}" }
-  #   end
   # end
 
   route do |r|
@@ -189,7 +184,7 @@ class RodauthApp < Rodauth::Rails::App
     #   rodauth.require_authentication
     # end
 
-    # ==> Multiple configurations
+    # ==> Secondary configurations
     # r.on "admin" do
     #   r.rodauth(:admin)
     #
@@ -197,7 +192,7 @@ class RodauthApp < Rodauth::Rails::App
     #     rodauth(:admin).require_http_basic_auth
     #   end
     #
-    #   r.pass # allow the Rails app to handle other "/admin/*" requests
+    #   break # allow the Rails app to handle other "/admin/*" requests
     # end
   end
 end

data/lib/generators/rodauth/templates/app/models/account.rb

@@ -1,2 +1,3 @@
 class Account < ApplicationRecord
+  include Rodauth::Rails.model
 end

data/lib/generators/rodauth/views_generator.rb

@@ -129,8 +129,9 @@ module Rodauth
         end
 
         def controller
-          rodauth = Rodauth::Rails.rodauth(configuration_name)
-          rodauth.rails_controller
+          rodauth = Rodauth::Rails.app.rodauth(configuration_name)
+          fail ArgumentError, "unknown rodauth configuration: #{configuration_name.inspect}" unless rodauth
+          rodauth.allocate.rails_controller
         end
 
         def configuration_name

data/lib/rodauth/rails.rb

@@ -1,9 +1,6 @@
 require "rodauth/rails/version"
 require "rodauth/rails/railtie"
 
-require "rack/utils"
-require "stringio"
-
 module Rodauth
   module Rails
     class Error < StandardError
@@ -12,49 +9,49 @@ module Rodauth
     # This allows the developer to avoid loading Rodauth at boot time.
     autoload :App, "rodauth/rails/app"
     autoload :Auth, "rodauth/rails/auth"
+    autoload :Model, "rodauth/rails/model"
 
     @app = nil
     @middleware = true
 
+    LOCK = Mutex.new
+
     class << self
-      def rodauth(name = nil, query: {}, form: {}, session: {}, account: nil, env: {})
-        unless app.rodauth(name)
+      def rodauth(name = nil, query: nil, form: nil, account: nil, **options)
+        auth_class = app.rodauth(name)
+
+        unless auth_class
           fail ArgumentError, "undefined rodauth configuration: #{name.inspect}"
         end
 
-        url_options = ActionMailer::Base.default_url_options
-
-        scheme   = url_options[:protocol] || "http"
-        port     = url_options[:port]
-        port   ||= Rack::Request::DEFAULT_PORTS[scheme] if Gem::Version.new(Rack.release) < Gem::Version.new("2.0")
-        host     = url_options[:host]
-        host    += ":#{port}" if port
-
-        content_type = "application/x-www-form-urlencoded" if form.any?
-
-        rack_env = {
-          "QUERY_STRING"    => Rack::Utils.build_nested_query(query),
-          "rack.input"      => StringIO.new(Rack::Utils.build_nested_query(form)),
-          "CONTENT_TYPE"    => content_type,
-          "rack.session"    => {},
-          "HTTP_HOST"       => host,
-          "rack.url_scheme" => scheme,
-        }.merge(env)
-
-        scope    = app.new(rack_env)
-        instance = scope.rodauth(name)
+        LOCK.synchronize do
+          unless auth_class.features.include?(:internal_request)
+            auth_class.configure { enable :internal_request }
+            warn "Rodauth::Rails.rodauth requires the internal_request feature to be enabled. For now it was enabled automatically, but this behaviour will be removed in version 1.0."
+          end
+        end
 
-        # update session hash here to make it work with JWT session
-        instance.session.merge!(session)
+        if query || form
+          warn "The :query and :form keyword arguments for Rodauth::Rails.rodauth have been deprecated. Please use the :params argument supported by internal_request feature instead."
+          options[:params] = query || form
+        end
 
         if account
-          instance.instance_variable_set(:@account, account.attributes.symbolize_keys)
-          instance.session[instance.session_key] = instance.account_session_value
+          options[:account_id] = account.id
+        end
+
+        instance = auth_class.internal_request_eval(options) do
+          @account = account.attributes.symbolize_keys if account
+          self
         end
 
         instance
       end
 
+      def model(name = nil, **options)
+        Rodauth::Rails::Model.new(app.rodauth(name), **options)
+      end
+
       # routing constraint that requires authentication
       def authenticated(name = nil, &condition)
         lambda do |request|

data/lib/rodauth/rails/feature.rb

@@ -10,6 +10,7 @@ module Rodauth
     require "rodauth/rails/feature/render"
     require "rodauth/rails/feature/email"
     require "rodauth/rails/feature/instrumentation"
+    require "rodauth/rails/feature/internal_request"
 
     include Rodauth::Rails::Feature::Base
     include Rodauth::Rails::Feature::Callbacks
@@ -17,5 +18,6 @@ module Rodauth
     include Rodauth::Rails::Feature::Render
     include Rodauth::Rails::Feature::Email
     include Rodauth::Rails::Feature::Instrumentation
+    include Rodauth::Rails::Feature::InternalRequest
   end
 end

data/lib/rodauth/rails/feature/callbacks.rb

@@ -4,13 +4,17 @@ module Rodauth
       module Callbacks
         private
 
+        def _around_rodauth
+          rails_controller_around { super }
+        end
+
         # Runs controller callbacks and rescue handlers around Rodauth actions.
-        def _around_rodauth(&block)
+        def rails_controller_around
           result = nil
 
           rails_controller_rescue do
             rails_controller_callbacks do
-              result = catch(:halt) { super(&block) }
+              result = catch(:halt) { yield }
             end
           end
 

data/lib/rodauth/rails/feature/internal_request.rb

@@ -0,0 +1,50 @@
+module Rodauth
+  module Rails
+    module Feature
+      module InternalRequest
+        def post_configure
+          super
+          return unless internal_request?
+
+          self.class.define_singleton_method(:internal_request) do |route, opts = {}, &blk|
+            url_options = ::Rails.application.config.action_mailer.default_url_options || {}
+
+            scheme = url_options[:protocol]
+            port = url_options[:port]
+            port||= Rack::Request::DEFAULT_PORTS[scheme] if Rack.release < "2"
+            host = url_options[:host]
+            host_with_port = host && port ? "#{host}:#{port}" : host
+
+            env = {
+              "HTTP_HOST" => host_with_port,
+              "rack.url_scheme" => scheme,
+              "SERVER_NAME" => host,
+              "SERVER_PORT" => port,
+            }.compact
+
+            opts = opts.merge(env: env) { |k, v1, v2| v2.merge(v1) }
+
+            super(route, opts, &blk)
+          end
+        end
+
+        private
+
+        def rails_controller_around
+          return yield if internal_request?
+          super
+        end
+
+        def rails_instrument_request
+          return yield if internal_request?
+          super
+        end
+
+        def rails_instrument_redirection
+          return yield if internal_request?
+          super
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/model.rb

@@ -0,0 +1,101 @@
+module Rodauth
+  module Rails
+    class Model < Module
+      require "rodauth/rails/model/associations"
+
+      def initialize(auth_class, association_options: {})
+        @auth_class = auth_class
+        @association_options = association_options
+
+        define_methods
+      end
+
+      def included(model)
+        fail Rodauth::Rails::Error, "must be an Active Record model" unless model < ActiveRecord::Base
+
+        define_associations(model)
+      end
+
+      private
+
+      def define_methods
+        rodauth = @auth_class.allocate.freeze
+
+        attr_reader :password
+
+        define_method(:password=) do |password|
+          @password = password
+          password_hash = rodauth.send(:password_hash, password) if password
+          set_password_hash(password_hash)
+        end
+
+        define_method(:set_password_hash) do |password_hash|
+          if rodauth.account_password_hash_column
+            public_send(:"#{rodauth.account_password_hash_column}=", password_hash)
+          else
+            if password_hash
+              record = self.password_hash || build_password_hash
+              record.public_send(:"#{rodauth.password_hash_column}=", password_hash)
+            else
+              self.password_hash&.mark_for_destruction
+            end
+          end
+        end
+      end
+
+      def define_associations(model)
+        define_password_hash_association(model) unless rodauth.account_password_hash_column
+
+        feature_associations.each do |association|
+          define_association(model, **association)
+        end
+      end
+
+      def define_password_hash_association(model)
+        password_hash_id_column = rodauth.password_hash_id_column
+        scope = -> { select(password_hash_id_column) } if rodauth.send(:use_database_authentication_functions?)
+
+        define_association model,
+          type: :has_one,
+          name: :password_hash,
+          table: rodauth.password_hash_table,
+          foreign_key: password_hash_id_column,
+          scope: scope,
+          autosave: true
+      end
+
+      def define_association(model, type:, name:, table:, foreign_key:, scope: nil, **options)
+        associated_model = Class.new(model.superclass)
+        associated_model.table_name = table
+        associated_model.belongs_to :account,
+          class_name: model.name,
+          foreign_key: foreign_key,
+          inverse_of: name
+
+        model.const_set(name.to_s.singularize.camelize, associated_model)
+
+        model.public_send type, name, scope,
+          class_name: associated_model.name,
+          foreign_key: foreign_key,
+          dependent: :destroy,
+          inverse_of: :account,
+          **options,
+          **association_options(name)
+      end
+
+      def feature_associations
+        Rodauth::Rails::Model::Associations.call(rodauth)
+      end
+
+      def association_options(name)
+        options = @association_options
+        options = options.call(name) if options.respond_to?(:call)
+        options || {}
+      end
+
+      def rodauth
+        @auth_class.allocate
+      end
+    end
+  end
+end

data/lib/rodauth/rails/model/associations.rb

@@ -0,0 +1,195 @@
+module Rodauth
+  module Rails
+    class Model
+      class Associations
+        attr_reader :rodauth
+
+        def self.call(rodauth)
+          new(rodauth).call
+        end
+
+        def initialize(rodauth)
+          @rodauth = rodauth
+        end
+
+        def call
+          rodauth.features
+            .select { |feature| respond_to?(feature, true) }
+            .flat_map { |feature| send(feature) }
+        end
+
+        private
+
+        def remember
+          {
+            name: :remember_key,
+            type: :has_one,
+            table: rodauth.remember_table,
+            foreign_key: rodauth.remember_id_column,
+          }
+        end
+
+        def verify_account
+          {
+            name: :verification_key,
+            type: :has_one,
+            table: rodauth.verify_account_table,
+            foreign_key: rodauth.verify_account_id_column,
+          }
+        end
+
+        def reset_password
+          {
+            name: :password_reset_key,
+            type: :has_one,
+            table: rodauth.reset_password_table,
+            foreign_key: rodauth.reset_password_id_column,
+          }
+        end
+
+        def verify_login_change
+          {
+            name: :login_change_key,
+            type: :has_one,
+            table: rodauth.verify_login_change_table,
+            foreign_key: rodauth.verify_login_change_id_column,
+          }
+        end
+
+        def lockout
+          [
+            {
+              name: :lockout,
+              type: :has_one,
+              table: rodauth.account_lockouts_table,
+              foreign_key: rodauth.account_lockouts_id_column,
+            },
+            {
+              name: :login_failure,
+              type: :has_one,
+              table: rodauth.account_login_failures_table,
+              foreign_key: rodauth.account_login_failures_id_column,
+            }
+          ]
+        end
+
+        def email_auth
+          {
+            name: :email_auth_key,
+            type: :has_one,
+            table: rodauth.email_auth_table,
+            foreign_key: rodauth.email_auth_id_column,
+          }
+        end
+
+        def account_expiration
+          {
+            name: :activity_time,
+            type: :has_one,
+            table: rodauth.account_activity_table,
+            foreign_key: rodauth.account_activity_id_column,
+          }
+        end
+
+        def active_sessions
+          {
+            name: :active_session_keys,
+            type: :has_many,
+            table: rodauth.active_sessions_table,
+            foreign_key: rodauth.active_sessions_account_id_column,
+          }
+        end
+
+        def audit_logging
+          {
+            name: :authentication_audit_logs,
+            type: :has_many,
+            table: rodauth.audit_logging_table,
+            foreign_key: rodauth.audit_logging_account_id_column,
+            dependent: nil,
+          }
+        end
+
+        def disallow_password_reuse
+          {
+            name: :previous_password_hashes,
+            type: :has_many,
+            table: rodauth.previous_password_hash_table,
+            foreign_key: rodauth.previous_password_account_id_column,
+          }
+        end
+
+        def jwt_refresh
+          {
+            name: :jwt_refresh_keys,
+            type: :has_many,
+            table: rodauth.jwt_refresh_token_table,
+            foreign_key: rodauth.jwt_refresh_token_account_id_column,
+          }
+        end
+
+        def password_expiration
+          {
+            name: :password_change_time,
+            type: :has_one,
+            table: rodauth.password_expiration_table,
+            foreign_key: rodauth.password_expiration_id_column,
+          }
+        end
+
+        def single_session
+          {
+            name: :session_key,
+            type: :has_one,
+            table: rodauth.single_session_table,
+            foreign_key: rodauth.single_session_id_column,
+          }
+        end
+
+        def otp
+          {
+            name: :otp_key,
+            type: :has_one,
+            table: rodauth.otp_keys_table,
+            foreign_key: rodauth.otp_keys_id_column,
+          }
+        end
+
+        def sms_codes
+          {
+            name: :sms_code,
+            type: :has_one,
+            table: rodauth.sms_codes_table,
+            foreign_key: rodauth.sms_id_column,
+          }
+        end
+
+        def recovery_codes
+          {
+            name: :recovery_codes,
+            type: :has_many,
+            table: rodauth.recovery_codes_table,
+            foreign_key: rodauth.recovery_codes_id_column,
+          }
+        end
+
+        def webauthn
+          [
+            {
+              name: :webauthn_user_id,
+              type: :has_one,
+              table: rodauth.webauthn_user_ids_table,
+              foreign_key: rodauth.webauthn_user_ids_account_id_column,
+            },
+            {
+              name: :webauthn_keys,
+              type: :has_many,
+              table: rodauth.webauthn_keys_table,
+              foreign_key: rodauth.webauthn_keys_account_id_column,
+            }
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/tasks.rake

@@ -4,15 +4,15 @@ namespace :rodauth do
 
     puts "Routes handled by #{app}:"
 
-    app.opts[:rodauths].each_key do |rodauth_name|
-      rodauth = Rodauth::Rails.rodauth(rodauth_name)
+    app.opts[:rodauths].each do |configuration_name, auth_class|
+      auth_class.configure { enable :path_class_methods }
 
-      routes = rodauth.class.routes.map do |handle_method|
+      routes = auth_class.routes.map do |handle_method|
         path_method = "#{handle_method.to_s.sub(/\Ahandle_/, "")}_path"
 
         [
-          rodauth.public_send(path_method),
-          "rodauth#{rodauth_name && "(:#{rodauth_name})"}.#{path_method}",
+          auth_class.public_send(path_method),
+          "rodauth#{configuration_name && "(:#{configuration_name})"}.#{path_method}",
         ]
       end
 

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "0.14.0"
+    VERSION = "0.15.0"
   end
 end

data/rodauth-rails.gemspec

@@ -17,10 +17,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "railties", ">= 4.2", "< 7"
-  spec.add_dependency "rodauth", "~> 2.11"
+  spec.add_dependency "rodauth", "~> 2.15"
   spec.add_dependency "sequel-activerecord_connection", "~> 1.1"
   spec.add_dependency "tilt"
   spec.add_dependency "bcrypt"
 
   spec.add_development_dependency "jwt"
+  spec.add_development_dependency "rotp"
+  spec.add_development_dependency "rqrcode"
+  spec.add_development_dependency "webauthn" unless RUBY_ENGINE == "jruby"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 0.14.0
+  version: 0.15.0
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-07-10 00:00:00.000000000 Z
+date: 2021-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.15'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.15'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
@@ -100,6 +100,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webauthn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Provides Rails integration for Rodauth.
 email:
 - janko.marohnic@gmail.com
@@ -212,8 +254,11 @@ files:
 - lib/rodauth/rails/feature/csrf.rb
 - lib/rodauth/rails/feature/email.rb
 - lib/rodauth/rails/feature/instrumentation.rb
+- lib/rodauth/rails/feature/internal_request.rb
 - lib/rodauth/rails/feature/render.rb
 - lib/rodauth/rails/middleware.rb
+- lib/rodauth/rails/model.rb
+- lib/rodauth/rails/model/associations.rb
 - lib/rodauth/rails/railtie.rb
 - lib/rodauth/rails/tasks.rake
 - lib/rodauth/rails/version.rb