rodauth-rails 0.4.1 → 0.7.0

data/lib/generators/rodauth/templates/config/initializers/sequel.rb

@@ -1,8 +1,4 @@
 require "sequel/core"
 
 # initialize Sequel and have it reuse Active Record's database connection
-<% if RUBY_ENGINE == "jruby" -%>
-DB = Sequel.connect("jdbc:<%= sequel_adapter %>://", extensions: :activerecord_connection, test: false)
-<% else -%>
-DB = Sequel.<%= sequel_adapter %>(extensions: :activerecord_connection, test: false)
-<% end -%>
+DB = Sequel.connect("<%= sequel_uri_scheme %>://", extensions: :activerecord_connection)

data/lib/generators/rodauth/templates/db/migrate/create_rodauth.rb

@@ -1,179 +1,5 @@
-class CreateRodauth < ActiveRecord::Migration<%= migration_version %>
+class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version %>
   def change
-<% if activerecord_adapter == "postgresql" -%>
-    enable_extension "citext"
-
-<% end -%>
-    create_table :accounts do |t|
-<% case activerecord_adapter -%>
-<% when "postgresql" -%>
-      t.citext :email, null: false, index: { unique: true, where: "status IN ('verified', 'unverified')" }
-<% else -%>
-      t.string :email, null: false, index: { unique: true }
-<% end -%>
-      t.string :status, null: false, default: "verified"
-    end
-
-    # Used if storing password hashes in a separate table (default)
-    create_table :account_password_hashes do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :password_hash, null: false
-    end
-
-    # Used by the password reset feature
-    create_table :account_password_reset_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :deadline, null: false
-      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    end
-
-    # Used by the account verification feature
-    create_table :account_verification_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :requested_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-      t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    end
-
-    # Used by the verify login change feature
-    create_table :account_login_change_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.string :login, null: false
-      t.datetime :deadline, null: false
-    end
-
-<% unless api_only? -%>
-    # Used by the remember me feature
-    create_table :account_remember_keys do |t|
-      t.foreign_key :accounts, column: :id
-      t.string :key, null: false
-      t.datetime :deadline, null: false
-    end
-<% else -%>
-    # # Used by the remember me feature
-    # create_table :account_remember_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    # end
-<% end -%>
-
-    # # Used by the audit logging feature
-    # create_table :account_authentication_audit_logs do |t|
-    #   t.references :account, foreign_key: true, null: false
-    #   t.datetime :at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    #   t.text :message, null: false
-<% case activerecord_adapter -%>
-<% when "postgresql" -%>
-    #   t.jsonb :metadata
-<% when "sqlite3", "mysql2" -%>
-    #   t.json :metadata
-<% else -%>
-    #   t.string :metadata
-<% end -%>
-    #   t.index [:account_id, :at], name: "audit_account_at_idx"
-    #   t.index :at, name: "audit_at_idx"
-    # end
-
-    # # Used by the jwt refresh feature
-    # create_table :account_jwt_refresh_keys do |t|
-    #   t.references :account, foreign_key: true, null: false
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.index :account_id, name: "account_jwt_rk_account_id_idx"
-    # end
-
-    # # Used by the disallow_password_reuse feature
-    # create_table :account_previous_password_hashes do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :password_hash, null: false
-    # end
-
-    # # Used by the lockout feature
-    # create_table :account_login_failures do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.integer :number, null: false, default: 1
-    # end
-    # create_table :account_lockouts do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.datetime :email_last_sent
-    # end
-
-    # # Used by the email auth feature
-    # create_table :account_email_auth_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.datetime :deadline, null: false
-    #   t.datetime :email_last_sent, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the password expiration feature
-    # create_table :account_password_change_times do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.datetime :changed_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the account expiration feature
-    # create_table :account_activity_times do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.datetime :last_activity_at, null: false
-    #   t.datetime :last_login_at, null: false
-    #   t.datetime :expired_at
-    # end
-
-    # # Used by the single session feature
-    # create_table :account_session_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    # end
-
-    # # Used by the active sessions feature
-    # create_table :account_active_session_keys, primary_key: [:account_id, :session_id] do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :session_id
-    #   t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the webauthn feature
-    # create_table :account_webauthn_user_ids do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :webauthn_id, null: false
-    # end
-    # create_table :account_webauthn_keys, primary_key: [:account_id, :webauthn_id] do |t|
-    #   t.references :account, foreign_key: true
-    #   t.string :webauthn_id
-    #   t.string :public_key, null: false
-    #   t.integer :sign_count, null: false
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the otp feature
-    # create_table :account_otp_keys do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :key, null: false
-    #   t.integer :num_failures, null: false, default: 0
-    #   t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
-
-    # # Used by the recovery codes feature
-    # create_table :account_recovery_codes, primary_key: [:id, :code] do |t|
-    #   t.integer :id
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :code
-    # end
-
-    # # Used by the sms codes feature
-    # create_table :account_sms_codes do |t|
-    #   t.foreign_key :accounts, column: :id
-    #   t.string :phone_number, null: false
-    #   t.integer :num_failures
-    #   t.string :code
-    #   t.datetime :code_issued_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
-    # end
+<%= migration_content -%>
   end
 end

data/lib/rodauth/rails.rb

@@ -9,14 +9,43 @@ module Rodauth
     # This allows the developer to avoid loading Rodauth at boot time.
     autoload :App, "rodauth/rails/app"
 
-    def self.configure
-      yield self
-    end
-
     @app = nil
     @middleware = true
 
     class << self
+      def rodauth(name = nil)
+        url_options = ActionMailer::Base.default_url_options
+
+        scheme   = url_options[:protocol] || "http"
+        port     = url_options[:port]
+        port   ||= Rack::Request::DEFAULT_PORTS[scheme] if Gem::Version.new(Rack.release) < Gem::Version.new("2.0")
+        host     = url_options[:host]
+        host    += ":#{port}" if port
+
+        rack_env = {
+          "HTTP_HOST"       => host,
+          "rack.url_scheme" => scheme,
+        }
+
+        scope = app.new(rack_env)
+
+        scope.rodauth(name)
+      end
+
+      if ::Rails.gem_version >= Gem::Version.new("5.2")
+        def secret_key_base
+          ::Rails.application.secret_key_base
+        end
+      else
+        def secret_key_base
+          ::Rails.application.secrets.secret_key_base
+        end
+      end
+
+      def configure
+        yield self
+      end
+
       attr_writer :app
       attr_writer :middleware
 

data/lib/rodauth/rails/app.rb

@@ -4,7 +4,9 @@ module Rodauth
   module Rails
     # The superclass for creating a Rodauth middleware.
     class App < Roda
-      plugin :middleware
+      require "rodauth/rails/app/middleware"
+      plugin Middleware
+
       plugin :hooks
       plugin :render, layout: false
 
@@ -25,7 +27,7 @@ module Rodauth
           set_deadline_values? true
 
           # use HMACs for additional security
-          hmac_secret { ::Rails.application.secrets.secret_key_base }
+          hmac_secret { Rodauth::Rails.secret_key_base }
 
           # evaluate user configuration
           instance_exec(&block)

data/lib/rodauth/rails/app/flash.rb

@@ -1,7 +1,7 @@
 module Rodauth
   module Rails
     class App
-      # Sets up Rails' flash integration.
+      # Roda plugin that sets up Rails flash integration.
       module Flash
         def self.load_dependencies(app)
           app.plugin :hooks

data/lib/rodauth/rails/app/middleware.rb

@@ -0,0 +1,26 @@
+module Rodauth
+  module Rails
+    class App
+      # Roda plugin that extends middleware plugin by propagating response headers.
+      module Middleware
+        def self.load_dependencies(app)
+          app.plugin :hooks
+        end
+
+        def self.configure(app)
+          app.after do
+            if response.empty? && response.headers.any?
+              env["rodauth.rails.headers"] = response.headers
+            end
+          end
+
+          app.plugin :middleware, handle_result: -> (env, res) do
+            if headers = env.delete("rodauth.rails.headers")
+              res[1] = headers.merge(res[1])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/feature.rb

@@ -9,10 +9,11 @@ module Rodauth
       :rails_csrf_param,
       :rails_csrf_token,
       :rails_check_csrf!,
-      :rails_controller_instance,
       :rails_controller,
     )
 
+    auth_cached_method :rails_controller_instance
+
     # Renders templates with layout. First tries to render a user-defined
     # template, otherwise falls back to Rodauth's template.
     def view(page, *)
@@ -28,6 +29,11 @@ module Rodauth
         super
     end
 
+    # Render Rails CSRF tags in Rodauth templates.
+    def csrf_tag(*)
+      rails_csrf_tag
+    end
+
     # Verify Rails' authenticity token.
     def check_csrf
       rails_check_csrf!
@@ -38,18 +44,71 @@ module Rodauth
       true
     end
 
-    # Render Rails CSRF tags in Rodauth templates.
-    def csrf_tag(*)
-      rails_csrf_tag
-    end
-
     # Default the flash error key to Rails' default :alert.
     def flash_error_key
       :alert
     end
 
+    # Evaluates the block in context of a Rodauth controller instance.
+    def rails_controller_eval(&block)
+      rails_controller_instance.instance_exec(&block)
+    end
+
     private
 
+    # Runs controller callbacks and rescue handlers around Rodauth actions.
+    def _around_rodauth(&block)
+      result = nil
+
+      rails_controller_rescue do
+        rails_controller_callbacks do
+          result = catch(:halt) { super(&block) }
+        end
+      end
+
+      if rails_controller_instance.performed?
+        rails_controller_response
+      else
+        result[1].merge!(rails_controller_instance.response.headers)
+        throw :halt, result
+      end
+    end
+
+    # Runs any #(before|around|after)_action controller callbacks.
+    def rails_controller_callbacks
+      # don't verify CSRF token as part of callbacks, Rodauth will do that
+      rails_controller_instance.allow_forgery_protection = false
+
+      rails_controller_instance.run_callbacks(:process_action) do
+        # turn the setting back to default so that form tags generate CSRF tags
+        rails_controller_instance.allow_forgery_protection = rails_controller.allow_forgery_protection
+
+        yield
+      end
+    end
+
+    # Runs any registered #rescue_from controller handlers.
+    def rails_controller_rescue
+      yield
+    rescue Exception => exception
+      rails_controller_instance.rescue_with_handler(exception) || raise
+
+      unless rails_controller_instance.performed?
+        raise Rodauth::Rails::Error, "rescue_from handler didn't write any response"
+      end
+    end
+
+    # Returns Roda response from controller response if set.
+    def rails_controller_response
+      controller_response = rails_controller_instance.response
+
+      response.status = controller_response.status
+      response.headers.merge! controller_response.headers
+      response.write controller_response.body
+
+      request.halt
+    end
+
     # Create emails with ActionMailer which uses configured delivery method.
     def create_email_to(to, subject, body)
       Mailer.create_email(to: to, from: email_from, subject: "#{email_subject_prefix}#{subject}", body: body)
@@ -64,11 +123,14 @@ module Rodauth
     def rails_render(*args)
       return if only_json?
 
-      begin
-        rails_controller_instance.render_to_string(*args)
-      rescue ActionView::MissingTemplate
-        nil
-      end
+      rails_controller_instance.render_to_string(*args)
+    rescue ActionView::MissingTemplate
+      nil
+    end
+
+    # Calls the controller to verify the authenticity token.
+    def rails_check_csrf!
+      rails_controller_instance.send(:verify_authenticity_token)
     end
 
     # Hidden tag with Rails CSRF token inserted into Rodauth templates.
@@ -86,30 +148,36 @@ module Rodauth
       rails_controller_instance.send(:form_authenticity_token)
     end
 
-    # Calls the controller to verify the authenticity token.
-    def rails_check_csrf!
-      rails_controller_instance.send(:verify_authenticity_token)
-    end
-
     # Instances of the configured controller with current request's env hash.
-    def rails_controller_instance
-      request  = ActionDispatch::Request.new(scope.env)
-      instance = rails_controller.new
+    def _rails_controller_instance
+      controller    = rails_controller.new
+      rails_request = ActionDispatch::Request.new(scope.env)
 
-      if ActionPack.version >= Gem::Version.new("5.0")
-        instance.set_request! request
-        instance.set_response! rails_controller.make_response!(request)
-      else
-        instance.send(:set_response!, request)
-        instance.instance_variable_set(:@_request, request)
-      end
+      prepare_rails_controller(controller, rails_request)
 
-      instance
+      controller
     end
 
-    # Controller class to use for rendering and CSRF protection.
-    def rails_controller
-      ActionController::Base
+    if ActionPack.version >= Gem::Version.new("5.0")
+      # Controller class to use for view rendering, CSRF protection, and
+      # running any registered action callbacks and rescue_from handlers.
+      def rails_controller
+        only_json? ? ActionController::API : ActionController::Base
+      end
+
+      def prepare_rails_controller(controller, rails_request)
+        controller.set_request! rails_request
+        controller.set_response! rails_controller.make_response!(rails_request)
+      end
+    else
+      def rails_controller
+        ActionController::Base
+      end
+
+      def prepare_rails_controller(controller, rails_request)
+        controller.send(:set_response!, rails_request)
+        controller.instance_variable_set(:@_request, rails_request)
+      end
     end
 
     # ActionMailer subclass for correct email delivering.