rodauth-rails 0.17.0 → 0.17.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +18 -0
- data/lib/generators/rodauth/install_generator.rb +10 -2
- data/lib/generators/rodauth/migration/base.erb +8 -2
- data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb +1 -1
- data/lib/generators/rodauth/templates/app/views/rodauth/_recovery_codes_form.html.erb +1 -1
- data/lib/rodauth/rails/feature/csrf.rb +15 -4
- data/lib/rodauth/rails/feature/internal_request.rb +16 -20
- data/lib/rodauth/rails/version.rb +1 -1
- data/lib/rodauth/rails.rb +6 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 458a4a5552c124a1e7587837bbd57eed020857ae691bcc4b1f2e2639df774bb8
|
|
4
|
+
data.tar.gz: b19da17830585641950d026dff75ebd32ded19ad16dd5fb5c3b8a33c34b0a8f6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 01d5c774269d260e2805e0a2e4a509d9db81a3a966e94176cd6c5df6d808356feee48c5009b9692e0647034ae1c4d6ea3dc29627fa2000d05821a4402080601a
|
|
7
|
+
data.tar.gz: 1dde8d0ffb4605d3abf7893628a804eca7c0fbc94f2418176651dce81fac14eb4dfe1d165e315288a2a46373b818c795e15e9d58b5ad77f15b1fb5c3d9efc4be
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,21 @@
|
|
|
1
|
+
## 0.17.1 (2021-10-20)
|
|
2
|
+
|
|
3
|
+
* Skip checking CSRF when request forgery protection wasn't loaded on the controller (@janko)
|
|
4
|
+
|
|
5
|
+
* Create partial unique index for `accounts.email` column when using `sqlite3` adapter (@janko)
|
|
6
|
+
|
|
7
|
+
* Revert setting `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
|
|
8
|
+
|
|
9
|
+
* Disable Turbo in `_recovery_codes_form.html.erb`, since viewing recovery codes isn't Turbo-compatible (@janko)
|
|
10
|
+
|
|
11
|
+
* Generate JSON configuration on `rodauth:install` for API-only with sessions enabled (@janko)
|
|
12
|
+
|
|
13
|
+
* Generate JWT configuration on `rodauth:install` only for API-only apps without sessions enabled (@janko)
|
|
14
|
+
|
|
15
|
+
* Don't generate JWT configuration when `rodauth:install --json` was run in API-only app (@janko)
|
|
16
|
+
|
|
17
|
+
* Use `config.action_mailer.default_url_options` in path_class_methods feature (@janko)
|
|
18
|
+
|
|
1
19
|
## 0.17.0 (2021-10-05)
|
|
2
20
|
|
|
3
21
|
* Set `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
|
|
@@ -95,11 +95,11 @@ module Rodauth
|
|
|
95
95
|
end
|
|
96
96
|
|
|
97
97
|
def json?
|
|
98
|
-
options[:json]
|
|
98
|
+
options[:json] || api_only? && session_store? && !options[:jwt]
|
|
99
99
|
end
|
|
100
100
|
|
|
101
101
|
def jwt?
|
|
102
|
-
options[:jwt] ||
|
|
102
|
+
options[:jwt] || api_only? && !session_store? && !options[:json]
|
|
103
103
|
end
|
|
104
104
|
|
|
105
105
|
def migration_features
|
|
@@ -107,6 +107,14 @@ module Rodauth
|
|
|
107
107
|
features << :remember unless jwt?
|
|
108
108
|
features
|
|
109
109
|
end
|
|
110
|
+
|
|
111
|
+
def session_store?
|
|
112
|
+
!!::Rails.application.config.session_store
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
def api_only?
|
|
116
|
+
Rodauth::Rails.api_only?
|
|
117
|
+
end
|
|
110
118
|
end
|
|
111
119
|
end
|
|
112
120
|
end
|
|
@@ -5,11 +5,17 @@ enable_extension "citext"
|
|
|
5
5
|
create_table :accounts<%= primary_key_type %> do |t|
|
|
6
6
|
<% case activerecord_adapter -%>
|
|
7
7
|
<% when "postgresql" -%>
|
|
8
|
-
t.citext :email, null: false
|
|
8
|
+
t.citext :email, null: false
|
|
9
9
|
<% else -%>
|
|
10
|
-
t.string :email, null: false
|
|
10
|
+
t.string :email, null: false
|
|
11
11
|
<% end -%>
|
|
12
12
|
t.string :status, null: false, default: "unverified"
|
|
13
|
+
<% case activerecord_adapter -%>
|
|
14
|
+
<% when "postgresql", "sqlite3" -%>
|
|
15
|
+
t.index :email, unique: true, where: "status IN ('unverified', 'verified')"
|
|
16
|
+
<% else -%>
|
|
17
|
+
t.index :email, unique: true
|
|
18
|
+
<% end -%>
|
|
13
19
|
end
|
|
14
20
|
|
|
15
21
|
# Used if storing password hashes in a separate table (default)
|
|
@@ -52,7 +52,7 @@ class RodauthApp < Rodauth::Rails::App
|
|
|
52
52
|
# reset_password_autologin? true
|
|
53
53
|
|
|
54
54
|
# Delete the account record when the user has closed their account.
|
|
55
|
-
delete_account_on_close? true
|
|
55
|
+
# delete_account_on_close? true
|
|
56
56
|
|
|
57
57
|
# Redirect to the app from login and registration pages if already logged in.
|
|
58
58
|
# already_logged_in { redirect login_redirect }
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
<%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post do %>
|
|
1
|
+
<%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post, data: { turbo: false } do %>
|
|
2
2
|
<%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
|
|
3
3
|
<%%= render "submit",
|
|
4
4
|
value: <%= rodauth %>.recovery_codes_button || "View Authentication Recovery Codes",
|
|
@@ -13,23 +13,23 @@ module Rodauth
|
|
|
13
13
|
|
|
14
14
|
# Render Rails CSRF tags in Rodauth templates.
|
|
15
15
|
def csrf_tag(*)
|
|
16
|
-
rails_csrf_tag
|
|
16
|
+
rails_csrf_tag if rails_controller_csrf?
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
# Verify Rails' authenticity token.
|
|
20
20
|
def check_csrf
|
|
21
|
-
rails_check_csrf!
|
|
21
|
+
rails_check_csrf! if rails_controller_csrf?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
# Have Rodauth call #check_csrf automatically.
|
|
25
25
|
def check_csrf?
|
|
26
|
-
|
|
26
|
+
rails_check_csrf? if rails_controller_csrf?
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
private
|
|
30
30
|
|
|
31
31
|
def rails_controller_callbacks
|
|
32
|
-
return super
|
|
32
|
+
return super unless rails_controller_csrf?
|
|
33
33
|
|
|
34
34
|
# don't verify CSRF token as part of callbacks, Rodauth will do that
|
|
35
35
|
rails_controller_instance.allow_forgery_protection = false
|
|
@@ -40,6 +40,12 @@ module Rodauth
|
|
|
40
40
|
end
|
|
41
41
|
end
|
|
42
42
|
|
|
43
|
+
# Checks whether ActionController::RequestForgeryProtection is included
|
|
44
|
+
# and that protect_from_forgery was called.
|
|
45
|
+
def rails_check_csrf?
|
|
46
|
+
!!rails_controller_instance.forgery_protection_strategy
|
|
47
|
+
end
|
|
48
|
+
|
|
43
49
|
# Calls the controller to verify the authenticity token.
|
|
44
50
|
def rails_check_csrf!
|
|
45
51
|
rails_controller_instance.send(:verify_authenticity_token)
|
|
@@ -59,6 +65,11 @@ module Rodauth
|
|
|
59
65
|
def rails_csrf_token
|
|
60
66
|
rails_controller_instance.send(:form_authenticity_token)
|
|
61
67
|
end
|
|
68
|
+
|
|
69
|
+
# Checks whether ActionController::RequestForgeryProtection is included.
|
|
70
|
+
def rails_controller_csrf?
|
|
71
|
+
rails_controller.respond_to?(:protect_from_forgery)
|
|
72
|
+
end
|
|
62
73
|
end
|
|
63
74
|
end
|
|
64
75
|
end
|
|
@@ -2,30 +2,20 @@ module Rodauth
|
|
|
2
2
|
module Rails
|
|
3
3
|
module Feature
|
|
4
4
|
module InternalRequest
|
|
5
|
-
def
|
|
6
|
-
super
|
|
7
|
-
return unless internal_request?
|
|
8
|
-
|
|
9
|
-
self.class.define_singleton_method(:internal_request) do |route, opts = {}, &blk|
|
|
10
|
-
url_options = ::Rails.application.config.action_mailer.default_url_options || {}
|
|
5
|
+
def domain
|
|
6
|
+
return super unless missing_host?
|
|
11
7
|
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
port||= Rack::Request::DEFAULT_PORTS[scheme] if Rack.release < "2"
|
|
15
|
-
host = url_options[:host]
|
|
16
|
-
host_with_port = host && port ? "#{host}:#{port}" : host
|
|
8
|
+
Rodauth::Rails.url_options[:host]
|
|
9
|
+
end
|
|
17
10
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
"rack.url_scheme" => scheme,
|
|
21
|
-
"SERVER_NAME" => host,
|
|
22
|
-
"SERVER_PORT" => port,
|
|
23
|
-
}.compact
|
|
11
|
+
def base_url
|
|
12
|
+
return super unless missing_host? && domain
|
|
24
13
|
|
|
25
|
-
|
|
14
|
+
url_options = Rodauth::Rails.url_options
|
|
26
15
|
|
|
27
|
-
|
|
28
|
-
|
|
16
|
+
url = "#{url_options[:protocol]}://#{domain}"
|
|
17
|
+
url << ":#{url_options[:port]}" if url_options[:port]
|
|
18
|
+
url
|
|
29
19
|
end
|
|
30
20
|
|
|
31
21
|
private
|
|
@@ -44,6 +34,12 @@ module Rodauth
|
|
|
44
34
|
return yield if internal_request?
|
|
45
35
|
super
|
|
46
36
|
end
|
|
37
|
+
|
|
38
|
+
# Checks whether we're in an internal request and host was not set,
|
|
39
|
+
# or the request doesn't exist such as with path_class_methods feature.
|
|
40
|
+
def missing_host?
|
|
41
|
+
internal_request? && request.host == INVALID_DOMAIN || scope.nil?
|
|
42
|
+
end
|
|
47
43
|
end
|
|
48
44
|
end
|
|
49
45
|
end
|
data/lib/rodauth/rails.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.17.
|
|
4
|
+
version: 0.17.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Janko Marohnić
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-10-
|
|
11
|
+
date: 2021-10-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|