rodauth-rails 0.3.1 → 0.6.0

data/lib/generators/rodauth/templates/config/initializers/sequel.rb

@@ -1,8 +1,4 @@
 require "sequel/core"
 
 # initialize Sequel and have it reuse Active Record's database connection
-<%- if RUBY_ENGINE == "jruby" -%>
-DB = Sequel.connect("jdbc:<%= sequel_adapter %>://", extensions: :activerecord_connection)
-<% else -%>
-DB = Sequel.<%= sequel_adapter %>(extensions: :activerecord_connection)
-<% end -%>
+DB = Sequel.connect("<%= sequel_uri_scheme %>://", extensions: :activerecord_connection)

data/lib/generators/rodauth/templates/db/migrate/create_rodauth.rb

@@ -1,170 +1,5 @@
-class CreateRodauth < ActiveRecord::Migration<%= migration_version %>
+class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version %>
   def change
-<% if activerecord_adapter == "postgresql" -%>
-    enable_extension "citext"
-
-<% end -%>
-    create_table :accounts do |t|
-<% case activerecord_adapter -%>
-<% when "postgresql" -%>
-      t.citext :email, null: false, index: { unique: true, where: "status IN ('verified', 'unverified')" }
-<% else -%>
-      t.string :email, null: false, index: { unique: true }
-<% end -%>
-      t.string :status, null: false, default: "verified"
-    end
-
-    # Used if storing password hashes in a separate table (default)
-    create_table :account_password_hashes do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :password_hash, null: false
-    end
-
-    # Used by the password reset feature
-    create_table :account_password_reset_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :deadline, null: false
-      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    end
-
-    # Used by the account verification feature
-    create_table :account_verification_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :requested_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    end
-
-    # Used by the verify login change feature
-    create_table :account_login_change_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.string :login, null: false
-      t.datetime :deadline, null: false
-    end
-
-    # Used by the remember me feature
-    create_table :account_remember_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :deadline, null: false
-    end
-
-    # # Used by the audit logging feature
-    # create_table :account_authentication_audit_logs do |t|
-    #   t.references :account, foreign_key: true, null: false
-    #   t.datetime :at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    #   t.text :message, null: false
-<% case activerecord_adapter -%>
-<% when "postgresql" -%>
-    #   t.jsonb :metadata
-<% when "sqlite3", "mysql2" -%>
-    #   t.json :metadata
-<% else -%>
-    #   t.string :metadata
-<% end -%>
-    #   t.index [:account_id, :at], name: "audit_account_at_idx"
-    #   t.index :at, name: "audit_at_idx"
-    # end
-
-    # # Used by the jwt refresh feature
-    # create_table :account_jwt_refresh_keys do |t|
-    #   t.references :account, foreign_key: true, null: false
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.index :account_id, name: "account_jwt_rk_account_id_idx"
-    # end
-
-    # # Used by the disallow_password_reuse feature
-    # create_table :account_previous_password_hashes do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :password_hash, null: false
-    # end
-
-    # # Used by the lockout feature
-    # create_table :account_login_failures do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.integer :number, null: false, default: 1
-    # end
-    # create_table :account_lockouts do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.datetime :email_last_sent
-    # end
-
-    # # Used by the email auth feature
-    # create_table :account_email_auth_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the password expiration feature
-    # create_table :account_password_change_times do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.datetime :changed_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the account expiration feature
-    # create_table :account_activity_times do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.datetime :last_activity_at, null: false
-    #   t.datetime :last_login_at, null: false
-    #   t.datetime :expired_at
-    # end
-
-    # # Used by the single session feature
-    # create_table :account_session_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    # end
-
-    # # Used by the active sessions feature
-    # create_table :account_active_session_keys, primary_key: [:account_id, :session_id] do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :session_id
-    #   t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the webauthn feature
-    # create_table :account_webauthn_user_ids do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :webauthn_id, null: false
-    # end
-    # create_table :account_webauthn_keys, primary_key: [:account_id, :webauthn_id] do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :webauthn_id
-    #   t.string :public_key, null: false
-    #   t.integer :sign_count, null: false
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the otp feature
-    # create_table :account_otp_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.integer :num_failures, null: false, default: 0
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the recovery codes feature
-    # create_table :account_recovery_codes, primary_key: [:id, :code] do |t|
-    #   t.integer :id
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :code
-    # end
-
-    # # Used by the sms codes feature
-    # create_table :account_sms_codes do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :phone_number, null: false
-    #   t.integer :num_failures
-    #   t.string :code
-    #   t.datetime :code_issued_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
+<%= migration_content -%>
   end
 end

data/lib/rodauth/rails.rb

@@ -1,4 +1,4 @@
-require "rodauth/version"
+require "rodauth/rails/version"
 require "rodauth/rails/railtie"
 
 module Rodauth
@@ -9,14 +9,33 @@ module Rodauth
     # This allows the developer to avoid loading Rodauth at boot time.
     autoload :App, "rodauth/rails/app"
 
-    def self.configure
-      yield self
-    end
-
     @app = nil
     @middleware = true
 
     class << self
+      def rodauth(name = nil)
+        url_options = ActionMailer::Base.default_url_options
+
+        scheme   = url_options[:protocol] || "http"
+        port     = url_options[:port]
+        port   ||= Rack::Request::DEFAULT_PORTS[scheme] if Gem::Version.new(Rack.release) < Gem::Version.new("2.0")
+        host     = url_options[:host]
+        host    += ":#{port}" if port
+
+        rack_env = {
+          "HTTP_HOST"       => host,
+          "rack.url_scheme" => scheme,
+        }
+
+        scope = app.new(rack_env)
+
+        scope.rodauth(name)
+      end
+
+      def configure
+        yield self
+      end
+
       attr_writer :app
       attr_writer :middleware
 

data/lib/rodauth/rails/app.rb

@@ -4,15 +4,16 @@ module Rodauth
   module Rails
     # The superclass for creating a Rodauth middleware.
     class App < Roda
-      require "rodauth/rails/app/flash"
-
       plugin :middleware
       plugin :hooks
       plugin :render, layout: false
 
-      plugin Flash
-
       def self.configure(name = nil, **options, &block)
+        unless options[:json] == :only
+          require "rodauth/rails/flash"
+          plugin Flash
+        end
+
         plugin :rodauth, name: name, csrf: false, flash: false, **options do
           # load the Rails integration
           enable :rails

data/lib/rodauth/rails/feature.rb

@@ -9,10 +9,11 @@ module Rodauth
       :rails_csrf_param,
       :rails_csrf_token,
       :rails_check_csrf!,
-      :rails_controller_instance,
       :rails_controller,
     )
 
+    auth_cached_method :rails_controller_instance
+
     # Renders templates with layout. First tries to render a user-defined
     # template, otherwise falls back to Rodauth's template.
     def view(page, *)
@@ -28,6 +29,11 @@ module Rodauth
         super
     end
 
+    # Render Rails CSRF tags in Rodauth templates.
+    def csrf_tag(*)
+      rails_csrf_tag
+    end
+
     # Verify Rails' authenticity token.
     def check_csrf
       rails_check_csrf!
@@ -38,11 +44,6 @@ module Rodauth
       true
     end
 
-    # Render Rails CSRF tags in Rodauth templates.
-    def csrf_tag(*)
-      rails_csrf_tag
-    end
-
     # Default the flash error key to Rails' default :alert.
     def flash_error_key
       :alert
@@ -50,6 +51,59 @@ module Rodauth
 
     private
 
+    # Runs controller callbacks and rescue handlers around Rodauth actions.
+    def _around_rodauth(&block)
+      result = nil
+
+      rails_controller_rescue do
+        rails_controller_callbacks do
+          result = catch(:halt) { super(&block) }
+        end
+      end
+
+      if rails_controller_instance.performed?
+        rails_controller_response
+      else
+        result[1].merge!(rails_controller_instance.response.headers)
+        throw :halt, result
+      end
+    end
+
+    # Runs any #(before|around|after)_action controller callbacks.
+    def rails_controller_callbacks
+      # don't verify CSRF token as part of callbacks, Rodauth will do that
+      rails_controller_instance.allow_forgery_protection = false
+
+      rails_controller_instance.run_callbacks(:process_action) do
+        # turn the setting back to default so that form tags generate CSRF tags
+        rails_controller_instance.allow_forgery_protection = rails_controller.allow_forgery_protection
+
+        yield
+      end
+    end
+
+    # Runs any registered #rescue_from controller handlers.
+    def rails_controller_rescue
+      yield
+    rescue Exception => exception
+      rails_controller_instance.rescue_with_handler(exception) || raise
+
+      unless rails_controller_instance.performed?
+        raise Rodauth::Rails::Error, "rescue_from handler didn't write any response"
+      end
+    end
+
+    # Returns Roda response from controller response if set.
+    def rails_controller_response
+      controller_response = rails_controller_instance.response
+
+      response.status = controller_response.status
+      response.headers.merge! controller_response.headers
+      response.write controller_response.body
+
+      request.halt
+    end
+
     # Create emails with ActionMailer which uses configured delivery method.
     def create_email_to(to, subject, body)
       Mailer.create_email(to: to, from: email_from, subject: "#{email_subject_prefix}#{subject}", body: body)
@@ -62,11 +116,18 @@ module Rodauth
 
     # Calls the Rails renderer, returning nil if a template is missing.
     def rails_render(*args)
+      return if only_json?
+
       rails_controller_instance.render_to_string(*args)
     rescue ActionView::MissingTemplate
       nil
     end
 
+    # Calls the controller to verify the authenticity token.
+    def rails_check_csrf!
+      rails_controller_instance.send(:verify_authenticity_token)
+    end
+
     # Hidden tag with Rails CSRF token inserted into Rodauth templates.
     def rails_csrf_tag
       %(<input type="hidden" name="#{rails_csrf_param}" value="#{rails_csrf_token}">)
@@ -82,17 +143,12 @@ module Rodauth
       rails_controller_instance.send(:form_authenticity_token)
     end
 
-    # Calls the controller to verify the authenticity token.
-    def rails_check_csrf!
-      rails_controller_instance.send(:verify_authenticity_token)
-    end
-
     # Instances of the configured controller with current request's env hash.
-    def rails_controller_instance
+    def _rails_controller_instance
       request  = ActionDispatch::Request.new(scope.env)
       instance = rails_controller.new
 
-      if ActionPack.version >= Gem::Version.new("5.0.0")
+      if ActionPack.version >= Gem::Version.new("5.0")
         instance.set_request! request
         instance.set_response! rails_controller.make_response!(request)
       else

data/lib/rodauth/rails/flash.rb

@@ -0,0 +1,48 @@
+module Rodauth
+  module Rails
+    # Roda plugin that sets up Rails flash integration.
+    module Flash
+      def self.load_dependencies(app)
+        app.plugin :hooks
+      end
+
+      def self.configure(app)
+        app.before { request.flash }        # load flash
+        app.after  { request.commit_flash } # save flash
+      end
+
+      module InstanceMethods
+        def flash
+          request.flash
+        end
+      end
+
+      module RequestMethods
+        # If the redirect would bubble up outside of the Roda app, the after
+        # hook would never get called, so we make sure to commit the flash.
+        def redirect(*)
+          commit_flash
+          super
+        end
+
+        def flash
+          rails_request.flash
+        end
+
+        def commit_flash
+          if ActionPack.version >= Gem::Version.new("5.0")
+            rails_request.commit_flash
+          else
+            # ActionPack 4.2 automatically commits flash
+          end
+        end
+
+        private
+
+        def rails_request
+          ActionDispatch::Request.new(env)
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/railtie.rb

@@ -1,6 +1,8 @@
 require "rodauth/rails/middleware"
 require "rodauth/rails/controller_methods"
 
+require "rails"
+
 module Rodauth
   module Rails
     class Railtie < ::Rails::Railtie
@@ -13,6 +15,15 @@ module Rodauth
           include Rodauth::Rails::ControllerMethods
         end
       end
+
+      initializer "rodauth.test" do
+        # Rodauth uses RACK_ENV to set the default bcrypt hash cost
+        ENV["RACK_ENV"] = "test" if ::Rails.env.test?
+      end
+
+      rake_tasks do
+        load "rodauth/rails/tasks.rake"
+      end
     end
   end
 end