rodauth-rails 0.7.0 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8163d64892cbebd867182d15148f3099abb3ed49ae3e07a89a5adea6606623d2
-  data.tar.gz: 3cc7990e0af8e5ffb2ac959f989fb45cf538490412adfc908571823e5dd7b160
+  metadata.gz: b8f8aec1dbdc745a530aabec0d63bc2681499dd36f8185faed9ea09e7184636e
+  data.tar.gz: fbc5a75976a922978a6e37fee3bef8e7f04bb0a9a324066afdf79172b33f00e9
 SHA512:
-  metadata.gz: 99005d6864310fa3a36f8314a13588900a5ac1559af7a77d75cb5aba66b0b829d32c83fe66a3f5a7ced098de32b39396edd666919177836bb84b35a0de3a558b
-  data.tar.gz: 2d66b5ab43d05b26483cb3d69181c506b19a937fa77a2d7d66a38708f6357fae7bd2e605cc0a96affdd8fed822076dccb1603577338e68620c70a816fc45db7a
+  metadata.gz: 89d2f6ad377ba8e3f18bc747c3bfdf53e97c1a29f2731036987e5f7c1fde14db89732cda2d09026a153d81eabe26e51e021a129f02517d4d5582fcaf392876ca
+  data.tar.gz: 648b1297a9569b436113b5921a9ae37944d808ed42a03ef57a75452a74143dcc493e7d9c34a12f31f780745db5d2b1365d5a7b602dfa303571961730566852f4

data/CHANGELOG.md

@@ -1,3 +1,41 @@
+## 0.9.1 (2021-02-10)
+
+* Fix flash integration being loaded for API-only apps and causing an error (@dmitryzuev)
+
+* Change account status column default to `unverified` in migration to match Rodauth's default (@basabin54)
+
+## 0.9.0 (2021-02-07)
+
+* Load Roda's JSON support by default, so that enabling `json`/`jwt` feature is all that's needed (@janko)
+
+* Bump Rodauth dependency to 2.9+ (@janko)
+
+* Add `--json` option for `rodauth:install` generator for configuring `json` feature (@janko)
+
+* Add `--jwt` option for `rodauth:install` generator for configuring `jwt` feature (@janko)
+
+* Remove the `--api` option from `rodauth:install` generator (@janko)
+
+## 0.8.2 (2021-01-10)
+
+* Reset Rails session on `#clear_session`, protecting from potential session fixation attacks (@janko)
+
+## 0.8.1 (2021-01-04)
+
+* Fix blank email body when `json: true` and `ActionController::API` descendant are used (@janko)
+
+* Make view and email rendering work when there are multiple configurations and one is `json: :only` (@janko)
+
+* Don't attempt to protect against forgery when `ActionController::API` descendant is used (@janko)
+
+* Mark content of rodauth built-in partials as HTML-safe (@janko)
+
+## 0.8.0 (2021-01-03)
+
+* Add `--api` option to `rodauth:install` generator for choosing JSON-only configuration (@janko)
+
+* Don't blow up when a Rodauth request is made using an unsupported HTTP verb (@janko)
+
 ## 0.7.0 (2020-11-27)
 
 * Add `#rails_controller_eval` method for running code in context of a controller instance (@janko)

data/README.md

@@ -2,6 +2,35 @@
 
 Provides Rails integration for the [Rodauth] authentication framework.
 
+## Table of contents
+
+* [Resources](#resources)
+* [Why Rodauth?](#why-rodauth)
+* [Upgrading](#upgrading)
+* [Installation](#installation)
+* [Usage](#usage)
+  - [Routes](#routes)
+  - [Current account](#current-account)
+  - [Requiring authentication](#requiring-authentication)
+  - [Views](#views)
+  - [Mailer](#mailer)
+  - [Migrations](#migrations)
+  - [Multiple configurations](#multiple-configurations)
+  - [Calling controller methods](#calling-controller-methods)
+  - [Rodauth instance](#rodauth-instance)
+* [How it works](#how-it-works)
+  - [Middleware](#middleware)
+  - [App](#app)
+  - [Sequel](#sequel)
+* [JSON API](#json-api)
+* [OmniAuth](#omniauth)
+* [Configuring](#configuring)
+* [Custom extensions](#custom-extensions)
+* [Testing](#testing)
+* [Rodauth defaults](#rodauth-defaults)
+  - [Database functions](#database-functions)
+  - [Account statuses](#account-statuses)
+
 ## Resources
 
 Useful links:
@@ -12,7 +41,25 @@ Useful links:
 Articles:
 
 * [Rodauth: A Refreshing Authentication Solution for Ruby](https://janko.io/rodauth-a-refreshing-authentication-solution-for-ruby/)
-* [Adding Authentication in Rails 6 with Rodauth](https://janko.io/adding-authentication-in-rails-with-rodauth/)
+* [Adding Authentication in Rails with Rodauth](https://janko.io/adding-authentication-in-rails-with-rodauth/)
+* [Adding Multifactor Authentication in Rails with Rodauth](https://janko.io/adding-multifactor-authentication-in-rails-with-rodauth/)
+
+## Why Rodauth?
+
+There are already several popular authentication solutions for Rails (Devise,
+Sorcery, Clearance, Authlogic), so why would you choose Rodauth? Here are some
+of the advantages that stand out for me:
+
+* multifactor authentication ([TOTP][otp], [SMS codes][sms_codes], [recovery codes][recovery_codes], [WebAuthn][webauthn])
+* standardized [JSON API support][json] for every feature (including [JWT][jwt])
+* enterprise security features ([password complexity][password_complexity], [disallow password reuse][disallow_password_reuse], [password expiration][password_expiration], [session expiration][session_expiration], [single session][single_session], [account expiration][account_expiration])
+* [email authentication][email_auth] (aka "passwordless")
+* [audit logging][audit_logging] (for any action)
+* ability to protect password hashes even in case of SQL injection ([more details][password protection])
+* additional bruteforce protection for tokens ([more details][bruteforce tokens])
+* uniform configuration DSL (any setting can be static or dynamic)
+* consistent before/after hooks around everything
+* dedicated object encapsulating all authentication logic
 
 ## Upgrading
 
@@ -21,14 +68,14 @@ Articles:
 Starting from version 0.7.0, rodauth-rails now correctly detects Rails
 application's `secret_key_base` when setting default `hmac_secret`, including
 when it's set via credentials or `$SECRET_KEY_BASE` environment variable. This
-means authentication will be more secure by default, and Rodauth features that
-require `hmac_secret` should now work automatically as well.
+means that your authentication will now be more secure by default, and Rodauth
+features that require `hmac_secret` should now work automatically as well.
 
 However, if you've already been using rodauth-rails in production, where the
 `secret_key_base` is set via credentials or environment variable and `hmac_secret`
 was not explicitly set, the fact that your authentication will now start using
 HMACs has backwards compatibility considerations. See the [Rodauth
-documentation](hmac) for instructions on how to safely transition, or just set
+documentation][hmac] for instructions on how to safely transition, or just set
 `hmac_secret nil` in your Rodauth configuration.
 
 ## Installation
@@ -36,7 +83,7 @@ documentation](hmac) for instructions on how to safely transition, or just set
 Add the gem to your Gemfile:
 
 ```rb
-gem "rodauth-rails", "~> 0.6"
+gem "rodauth-rails", "~> 0.9"
 
 # gem "jwt",      require: false # for JWT feature
 # gem "rotp",     require: false # for OTP feature
@@ -48,10 +95,19 @@ Then run `bundle install`.
 
 Next, run the install generator:
 
-```
+```sh
 $ rails generate rodauth:install
 ```
 
+Or if you want Rodauth endpoints to be exposed via JSON API:
+
+```sh
+$ rails generate rodauth:install --json # regular authentication using the Rails session
+# or
+$ rails generate rodauth:install --jwt # token authentication via the "Authorization" header
+$ bundle add jwt
+```
+
 The generator will create the following files:
 
 * Rodauth migration at `db/migrate/*_create_rodauth.rb`
@@ -185,14 +241,12 @@ Using this information, we could add some basic authentication links to our
 navigation header:
 
 ```erb
-<ul>
-  <% if rodauth.authenticated? %>
-    <li><%= link_to "Sign out", rodauth.logout_path, method: :post %></li>
-  <% else %>
-    <li><%= link_to "Sign in", rodauth.login_path %></li>
-    <li><%= link_to "Sign up", rodauth.create_account_path %></li>
-  <% end %>
-</ul>
+<% if rodauth.logged_in? %>
+  <%= link_to "Sign out", rodauth.logout_path, method: :post %>
+<% else %>
+  <%= link_to "Sign in", rodauth.login_path %>
+  <%= link_to "Sign up", rodauth.create_account_path %>
+<% end %>
 ```
 
 These routes are fully functional, feel free to visit them and interact with the
@@ -208,7 +262,7 @@ retrieves the corresponding account record:
 ```rb
 # app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
-  before_action :current_account, if: -> { rodauth.authenticated? }
+  before_action :current_account, if: -> { rodauth.logged_in? }
 
   private
 
@@ -382,7 +436,7 @@ $ rails generate rodauth:mailer
 ```
 
 This will create a `RodauthMailer` with the associated mailer views in
-`app/views/rodauth_mailer` directory.
+`app/views/rodauth_mailer` directory:
 
 ```rb
 # app/mailers/rodauth_mailer.rb
@@ -434,9 +488,9 @@ end
 ```
 
 This approach can be used even if you're using a 3rd-party service for
-transactional emails, where emails are sent via API requests instead of
-SMTP. Whatever the `create_*_email` block returns will be passed to
-`send_email`, so you can be creative.
+transactional emails, where emails are sent via HTTP instead of SMTP. Whatever
+the `create_*_email` block returns will be passed to `send_email`, so you can
+be creative.
 
 ### Migrations
 
@@ -458,36 +512,41 @@ class CreateRodauthOtpSmsCodesRecoveryCodes < ActiveRecord::Migration
 end
 ```
 
-### JSON API
+### Multiple configurations
 
-JSON API support in Rodauth is provided by the [JWT feature]. First you'll need
-to add the [JWT gem] to your Gemfile:
-
-```rb
-gem "jwt"
-```
-
-The following configuration will enable the Rodauth endpoints to be accessed
-via JSON requests (in addition to HTML requests):
+If you need to handle multiple types of accounts that require different
+authentication logic, you can create different configurations for them:
 
 ```rb
 # app/lib/rodauth_app.rb
 class RodauthApp < Rodauth::Rails::App
-  configure(json: true) do
+  # primary configuration
+  configure do
     # ...
-    enable :jwt
-    jwt_secret "...your secret key..."
+  end
+
+  # alternative configuration
+  configure(:admin) do
+    # ... enable features ...
+    prefix "/admin"
+    session_key_prefix "admin_"
+    remember_cookie_key "_admin_remember" # if using remember feature
+    # ...
+  end
+
+  route do |r|
+    r.rodauth
+    r.on("admin") { r.rodauth(:admin) }
     # ...
   end
 end
 ```
 
-If you want the endpoints to be only accessible via JSON requests, or if your
-Rails app is in API-only mode, instead of `json: true` pass `json: :only` to
-the configure method.
+Then in your application you can reference the secondary Rodauth instance:
 
-Make sure to store the `jwt_secret` in a secure place, such as Rails
-credentials or environment variables.
+```rb
+rodauth(:admin).login_path #=> "/admin/login"
+```
 
 ### Calling controller methods
 
@@ -522,7 +581,7 @@ Rodauth operations outside of the request context. rodauth-rails gives you the
 ability to retrieve the Rodauth instance:
 
 ```rb
-rodauth = Rodauth::Rails.rodauth # or Rodauth::Rails.rodauth(:secondary)
+rodauth = Rodauth::Rails.rodauth # or Rodauth::Rails.rodauth(:admin)
 
 rodauth.login_url #=> "https://example.com/login"
 rodauth.account_from_login("user@example.com") # loads user by email
@@ -553,8 +612,8 @@ The Rodauth app stores the `Rodauth::Auth` instance in the Rack env hash, which
 is then available in your Rails app:
 
 ```rb
-request.env["rodauth"]           #=> #<Rodauth::Auth>
-request.env["rodauth.secondary"] #=> #<Rodauth::Auth> (if using multiple configurations)
+request.env["rodauth"]       #=> #<Rodauth::Auth>
+request.env["rodauth.admin"] #=> #<Rodauth::Auth> (if using multiple configurations)
 ```
 
 For convenience, this object can be accessed via the `#rodauth` method in views
@@ -563,14 +622,14 @@ and controllers:
 ```rb
 class MyController < ApplicationController
   def my_action
-    rodauth             #=> #<Rodauth::Auth>
-    rodauth(:secondary) #=> #<Rodauth::Auth> (if using multiple configurations)
+    rodauth         #=> #<Rodauth::Auth>
+    rodauth(:admin) #=> #<Rodauth::Auth> (if using multiple configurations)
   end
 end
 ```
 ```erb
-<% rodauth             #=> #<Rodauth::Auth> %>
-<% rodauth(:secondary) #=> #<Rodauth::Auth> (if using multiple configurations) %>
+<% rodauth         #=> #<Rodauth::Auth> %>
+<% rodauth(:admin) #=> #<Rodauth::Auth> (if using multiple configurations) %>
 ```
 
 ### App
@@ -585,13 +644,38 @@ integration for Rodauth:
 * runs Action Controller callbacks & rescue handlers around Rodauth actions
 * uses Action Mailer for sending emails
 
-The `configure { ... }` method wraps configuring the Rodauth plugin, forwarding
+The `configure` method wraps configuring the Rodauth plugin, forwarding
 any additional [plugin options].
 
 ```rb
-configure { ... }             # defining default Rodauth configuration
-configure(json: true) { ... } # passing options to the Rodauth plugin
-configure(:secondary) { ... } # defining multiple Rodauth configurations
+class RodauthApp < Rodauth::Rails::App
+  configure { ... }             # defining default Rodauth configuration
+  configure(json: true) { ... } # passing options to the Rodauth plugin
+  configure(:admin) { ... }     # defining multiple Rodauth configurations
+end
+```
+
+The `route` block is provided by Roda, and it's called on each request before
+it reaches the Rails router.
+
+```rb
+class RodauthApp < Rodauth::Rails::App
+  route do |r|
+    # ... called before each request ...
+  end
+end
+```
+
+Since `Rodauth::Rails::App` is just a Roda subclass, you can do anything you
+would with a Roda app, such as loading additional Roda plugins:
+
+```rb
+class RodauthApp < Rodauth::Rails::App
+  plugin :request_headers # easier access to request headers
+  plugin :typecast_params # methods for conversion of request params
+  plugin :default_headers, { "Foo" => "Bar" }
+  # ...
+end
 ```
 
 ### Sequel
@@ -602,11 +686,174 @@ function calls).
 
 If ActiveRecord is used in the application, the `rodauth:install` generator
 will have automatically configured Sequel to reuse ActiveRecord's database
-connection (using the [sequel-activerecord_connection] gem).
+connection, using the [sequel-activerecord_connection] gem.
 
 This means that, from the usage perspective, Sequel can be considered just
 as an implementation detail of Rodauth.
 
+## JSON API
+
+To make Rodauth endpoints accessible via JSON API, enable the [`json`][json]
+feature:
+
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    enable :json
+    only_json? true # accept only JSON requests
+    # ...
+  end
+end
+```
+
+This will store account session data into the Rails session. If you rather want
+stateless token-based authentication via the `Authorization` header, enable the
+[`jwt`][jwt] feature (which builds on top of the `json` feature) and add the
+[JWT gem] to the Gemfile:
+
+```sh
+$ bundle add jwt
+```
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    enable :jwt
+    jwt_secret "<YOUR_SECRET_KEY>" # store the JWT secret in a safe place
+    only_json? true # accept only JSON requests
+    # ...
+  end
+end
+```
+
+If you need Cross-Origin Resource Sharing and/or JWT refresh tokens, enable the
+corresponding Rodauth features and create the necessary tables:
+
+```sh
+$ rails generate rodauth:migration jwt_refresh
+$ rails db:migrate
+```
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    enable :jwt, :jwt_cors, :jwt_refresh
+    # ...
+  end
+end
+```
+
+## OmniAuth
+
+While Rodauth doesn't yet come with [OmniAuth] integration, we can build one
+ourselves using the existing Rodauth API.
+
+In order to allow the user to login via multiple external providers, let's
+create an `account_identities` table that will have a many-to-one relationship
+with the `accounts` table:
+
+```sh
+$ rails generate model AccountIdentity
+```
+```rb
+# db/migrate/*_create_account_identities.rb
+class CreateAccountIdentities < ActiveRecord::Migration
+  def change
+    create_table :account_identities do |t|
+      t.references :account, null: false, foreign_key: { on_delete: :cascade }
+      t.string :provider, null: false
+      t.string :uid, null: false
+      t.jsonb :info, null: false, default: {} # adjust JSON column type for your database
+
+      t.timestamps
+
+      t.index [:provider, :uid], unique: true
+    end
+  end
+end
+```
+```rb
+# app/models/account_identity.rb
+class AcccountIdentity < ApplicationRecord
+  belongs_to :account
+end
+```
+```rb
+# app/models/account.rb
+class Account < ApplicationRecord
+  has_many :identities, class_name: "AccountIdentity"
+end
+```
+
+Let's assume we want to implement Facebook login, and have added the
+corresponding OmniAuth strategy to the middleware stack, together with an
+authorization link on the login form:
+
+```rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"],
+    scope: "email", callback_path: "/auth/facebook/callback"
+end
+```
+```erb
+<%= link_to "Login via Facebook", "/auth/facebook" %>
+```
+
+Let's implement the OmniAuth callback endpoint on our Rodauth controller:
+
+```rb
+# config/routes.rb
+Rails.application.routes.draw do
+  # ...
+  get "/auth/:provider/callback", to: "rodauth#omniauth"
+end
+```
+```rb
+# app/controllres/rodauth_controller.rb
+class RodauthController < ApplicationController
+  def omniauth
+    auth = request.env["omniauth.auth"]
+
+    # attempt to find existing identity directly
+    identity = AccountIdentity.find_by(provider: auth["provider"], uid: auth["uid"])
+
+    if identity
+      # update any external info changes
+      identity.update!(info: auth["info"])
+      # set account from identity
+      account = identity.account
+    end
+
+    # attempt to find an existing account by email
+    account ||= Account.find_by(email: auth["info"]["email"])
+
+    # disallow login if account is not verified
+    if account && account.status != rodauth.account_open_status_value
+      redirect_to rodauth.login_path, alert: rodauth.unverified_account_message
+      return
+    end
+
+    # create new account if it doesn't exist
+    unless account
+      account = Account.create!(email: auth["info"]["email"], status: rodauth.account_open_status_value)
+    end
+
+    # create new identity if it doesn't exist
+    unless identity
+      account.identities.create!(provider: auth["provider"], uid: auth["uid"], info: auth["info"])
+    end
+
+    # login with Rodauth
+    rodauth.account_from_login(account.email)
+    rodauth.login("omniauth")
+  end
+end
+```
+
 ## Configuring
 
 For the list of configuration methods provided by Rodauth, see the [feature
@@ -640,6 +887,39 @@ Rodauth::Rails.configure do |config|
 end
 ```
 
+## Custom extensions
+
+When developing custom extensions for Rodauth inside your Rails project, it's
+better to use plain modules (at least in the beginning), because Rodauth
+feature design doesn't yet support Zeitwerk reloading well. Here is
+an example of an LDAP authentication extension that uses the
+[simple_ldap_authenticator] gem.
+
+```rb
+# app/lib/rodauth_ldap.rb
+module RodauthLdap
+  def require_bcrypt?
+    false
+  end
+
+  def password_match?(password)
+    SimpleLdapAuthenticator.valid?(account[:email], password)
+  end
+end
+```
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    auth_class_eval do
+      include RodauthLdap
+    end
+    # ...
+  end
+end
+```
+
 ## Testing
 
 If you're writing system tests, it's generally better to go through the actual
@@ -712,6 +992,8 @@ Rodauth method for creating database functions:
 
 ```rb
 # db/migrate/*_create_rodauth_database_functions.rb
+require "rodauth/migrations"
+
 class CreateRodauthDatabaseFunctions < ActiveRecord::Migration
   def up
     Rodauth.create_database_authentication_functions(DB)
@@ -776,7 +1058,6 @@ conduct](https://github.com/janko/rodauth-rails/blob/master/CODE_OF_CONDUCT.md).
 [Rodauth]: https://github.com/jeremyevans/rodauth
 [Sequel]: https://github.com/jeremyevans/sequel
 [feature documentation]: http://rodauth.jeremyevans.net/documentation.html
-[JWT feature]: http://rodauth.jeremyevans.net/rdoc/files/doc/jwt_rdoc.html
 [JWT gem]: https://github.com/jwt/ruby-jwt
 [Bootstrap]: https://getbootstrap.com/
 [Roda]: http://roda.jeremyevans.net/
@@ -786,3 +1067,21 @@ conduct](https://github.com/janko/rodauth-rails/blob/master/CODE_OF_CONDUCT.md).
 [sequel-activerecord_connection]: https://github.com/janko/sequel-activerecord_connection
 [plugin options]: http://rodauth.jeremyevans.net/rdoc/files/README_rdoc.html#label-Plugin+Options
 [hmac]: http://rodauth.jeremyevans.net/rdoc/files/README_rdoc.html#label-HMAC
+[OmniAuth]: https://github.com/omniauth/omniauth
+[otp]: http://rodauth.jeremyevans.net/rdoc/files/doc/otp_rdoc.html
+[sms_codes]: http://rodauth.jeremyevans.net/rdoc/files/doc/sms_codes_rdoc.html
+[recovery_codes]: http://rodauth.jeremyevans.net/rdoc/files/doc/recovery_codes_rdoc.html
+[webauthn]: http://rodauth.jeremyevans.net/rdoc/files/doc/webauthn_rdoc.html
+[json]: http://rodauth.jeremyevans.net/rdoc/files/doc/json_rdoc.html
+[jwt]: http://rodauth.jeremyevans.net/rdoc/files/doc/jwt_rdoc.html
+[email_auth]: http://rodauth.jeremyevans.net/rdoc/files/doc/email_auth_rdoc.html
+[audit_logging]: http://rodauth.jeremyevans.net/rdoc/files/doc/audit_logging_rdoc.html
+[password protection]: https://github.com/jeremyevans/rodauth#label-Password+Hash+Access+Via+Database+Functions
+[bruteforce tokens]: https://github.com/jeremyevans/rodauth#label-Tokens
+[password_complexity]: http://rodauth.jeremyevans.net/rdoc/files/doc/password_complexity_rdoc.html
+[disallow_password_reuse]: http://rodauth.jeremyevans.net/rdoc/files/doc/disallow_password_reuse_rdoc.html
+[password_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/password_expiration_rdoc.html
+[session_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/session_expiration_rdoc.html
+[single_session]: http://rodauth.jeremyevans.net/rdoc/files/doc/single_session_rdoc.html
+[account_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html
+[simple_ldap_authenticator]: https://github.com/jeremyevans/simple_ldap_authenticator

data/lib/generators/rodauth/install_generator.rb

@@ -13,6 +13,9 @@ module Rodauth
         source_root "#{__dir__}/templates"
         namespace "rodauth:install"
 
+        class_option :json, type: :boolean, desc: "Configure JSON support"
+        class_option :jwt, type: :boolean, desc: "Configure JWT support"
+
         def create_rodauth_migration
           return unless defined?(ActiveRecord::Base)
 
@@ -74,15 +77,17 @@ module Rodauth
           end
         end
 
-        def api_only?
-          return unless ::Rails.gem_version >= Gem::Version.new("5.0")
+        def json?
+          options[:json]
+        end
 
-          ::Rails.application.config.api_only
+        def jwt?
+          options[:jwt] || Rodauth::Rails.api_only?
         end
 
         def migration_features
           features = [:base, :reset_password, :verify_account, :verify_login_change]
-          features << :remember unless api_only?
+          features << :remember unless jwt?
           features
         end
       end

data/lib/generators/rodauth/migration/base.erb

@@ -5,11 +5,11 @@ enable_extension "citext"
 create_table :accounts<%= primary_key_type %> do |t|
 <% case activerecord_adapter -%>
 <% when "postgresql" -%>
-  t.citext :email, null: false, index: { unique: true, where: "status IN ('verified', 'unverified')" }
+  t.citext :email, null: false, index: { unique: true, where: "status IN ('unverified', 'verified')" }
 <% else -%>
   t.string :email, null: false, index: { unique: true }
 <% end -%>
-  t.string :status, null: false, default: "verified"
+  t.string :status, null: false, default: "unverified"
 end
 
 # Used if storing password hashes in a separate table (default)

data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb

@@ -1,11 +1,11 @@
 class RodauthApp < Rodauth::Rails::App
-  configure<%= " json: :only" if api_only? %> do
+  configure do
     # List of authentication features that are loaded.
     enable :create_account, :verify_account, :verify_account_grace_period,
-      :login, :logout, <%= api_only? ? ":jwt" : ":remember" %>,
+      :login, :logout<%= ", :remember" unless jwt? %>,
       :reset_password, :change_password, :change_password_notify,
       :change_login, :verify_login_change,
-      :close_account
+      :close_account<%= ", :json" if json? %><%= ", :jwt" if jwt? %>
 
     # See the Rodauth documentation for the list of available config options:
     # http://rodauth.jeremyevans.net/documentation.html
@@ -14,6 +14,16 @@ class RodauthApp < Rodauth::Rails::App
     # The secret key used for hashing public-facing tokens for various features.
     # Defaults to Rails `secret_key_base`, but you can use your own secret key.
     # hmac_secret "<%= SecureRandom.hex(64) %>"
+<% if jwt? -%>
+
+    # Set JWT secret, which is used to cryptographically protect the token.
+    jwt_secret "<%= SecureRandom.hex(64) %>"
+<% end -%>
+<% if json? || jwt? -%>
+
+    # Accept only JSON requests.
+    only_json? true
+<% end -%>
 
     # Specify the controller used for view rendering and CSRF verification.
     rails_controller { RodauthController }
@@ -42,18 +52,6 @@ class RodauthApp < Rodauth::Rails::App
 
     # Redirect to the app from login and registration pages if already logged in.
     # already_logged_in { redirect login_redirect }
-<% if api_only? -%>
-
-    # ==> JWT
-    # Set JWT secret, which is used to cryptographically protect the token.
-    jwt_secret "<%= SecureRandom.hex(64) %>"
-
-    # Don't require login confirmation param.
-    require_login_confirmation? false
-
-    # Don't require password confirmation param.
-    require_password_confirmation? false
-<% end -%>
 
     # ==> Emails
     # Uncomment the lines below once you've imported mailer views.
@@ -80,14 +78,14 @@ class RodauthApp < Rodauth::Rails::App
     #   db.after_commit { email.deliver_later }
     # end
 
-    # In the meantime you can tweak settings for emails created by Rodauth
+    # In the meantime, you can tweak settings for emails created by Rodauth.
     # email_subject_prefix "[MyApp] "
     # email_from "noreply@myapp.com"
     # send_email(&:deliver_later)
     # reset_password_email_body { "Click here to reset your password: #{reset_password_email_link}" }
 
     # ==> Flash
-<% unless api_only? -%>
+<% unless json? || jwt? -%>
     # Match flash keys with ones already used in the Rails app.
     # flash_notice_key :success # default is :notice
     # flash_error_key :error # default is :alert
@@ -107,7 +105,7 @@ class RodauthApp < Rodauth::Rails::App
 
     # Change minimum number of password characters required when creating an account.
     # password_minimum_length 8
-<% unless api_only? -%>
+<% unless jwt? -%>
 
     # ==> Remember Feature
     # Remember all logged in users.
@@ -128,13 +126,14 @@ class RodauthApp < Rodauth::Rails::App
 
     # Perform additional actions after the account is created.
     # after_create_account do
-    #   Profile.create!(account_id: account[:id], name: param("name"))
+    #   Profile.create!(account_id: account_id, name: param("name"))
     # end
 
     # Do additional cleanup after the account is closed.
     # after_close_account do
-    #   Profile.find_by!(account_id: account[:id]).destroy
+    #   Profile.find_by!(account_id: account_id).destroy
     # end
+<% unless json? || jwt? -%>
 
     # ==> Redirects
     # Redirect to home page after logout.
@@ -145,6 +144,7 @@ class RodauthApp < Rodauth::Rails::App
 
     # Redirect to login page after password reset.
     reset_password_redirect { login_path }
+<% end -%>
 
     # ==> Deadlines
     # Change default deadlines for some actions.
@@ -156,14 +156,13 @@ class RodauthApp < Rodauth::Rails::App
 
   # ==> Multiple configurations
   # configure(:admin) do
-  #   enable :http_basic_auth
-  #
+  #   enable :http_basic_auth # enable different set of features
   #   prefix "/admin"
-  #   session_key :admin_id
+  #   session_key_prefix "admin_"
   # end
 
   route do |r|
-<% unless api_only? -%>
+<% unless jwt? -%>
     rodauth.load_memory # autologin remembered users
 
 <% end -%>

data/lib/rodauth/rails.rb

@@ -42,6 +42,16 @@ module Rodauth
         end
       end
 
+      if ::Rails.gem_version >= Gem::Version.new("5.0")
+        def api_only?
+          ::Rails.application.config.api_only
+        end
+      else
+        def api_only?
+          false
+        end
+      end
+
       def configure
         yield self
       end

data/lib/rodauth/rails/app.rb

@@ -1,4 +1,6 @@
 require "roda"
+require "rodauth"
+require "rodauth/rails/feature"
 
 module Rodauth
   module Rails
@@ -10,13 +12,13 @@ module Rodauth
       plugin :hooks
       plugin :render, layout: false
 
-      def self.configure(name = nil, **options, &block)
-        unless options[:json] == :only
-          require "rodauth/rails/app/flash"
-          plugin Flash
-        end
+      unless Rodauth::Rails.api_only?
+        require "rodauth/rails/app/flash"
+        plugin Flash
+      end
 
-        plugin :rodauth, name: name, csrf: false, flash: false, **options do
+      def self.configure(name = nil, **options, &block)
+        plugin :rodauth, name: name, csrf: false, flash: false, json: true, **options do
           # load the Rails integration
           enable :rails
 

data/lib/rodauth/rails/app/flash.rb

@@ -30,10 +30,12 @@ module Rodauth
             rails_request.flash
           end
 
-          def commit_flash
-            if ActionPack.version >= Gem::Version.new("5.0")
+          if ActionPack.version >= Gem::Version.new("5.0")
+            def commit_flash
               rails_request.commit_flash
-            else
+            end
+          else
+            def commit_flash
               # ActionPack 4.2 automatically commits flash
             end
           end

data/lib/rodauth/rails/feature.rb

@@ -26,7 +26,7 @@ module Rodauth
     def render(page)
       rails_render(partial: page.tr("-", "_"), layout: false) ||
         rails_render(action: page.tr("-", "_"), layout: false) ||
-        super
+        super.html_safe
     end
 
     # Render Rails CSRF tags in Rodauth templates.
@@ -44,6 +44,11 @@ module Rodauth
       true
     end
 
+    # Reset Rails session to protect from session fixation attacks.
+    def clear_session
+      rails_controller_instance.reset_session
+    end
+
     # Default the flash error key to Rails' default :alert.
     def flash_error_key
       :alert
@@ -54,6 +59,10 @@ module Rodauth
       rails_controller_instance.instance_exec(&block)
     end
 
+    def button(*)
+      super.html_safe
+    end
+
     private
 
     # Runs controller callbacks and rescue handlers around Rodauth actions.
@@ -68,20 +77,22 @@ module Rodauth
 
       if rails_controller_instance.performed?
         rails_controller_response
-      else
+      elsif result
         result[1].merge!(rails_controller_instance.response.headers)
         throw :halt, result
+      else
+        result
       end
     end
 
     # Runs any #(before|around|after)_action controller callbacks.
     def rails_controller_callbacks
       # don't verify CSRF token as part of callbacks, Rodauth will do that
-      rails_controller_instance.allow_forgery_protection = false
+      rails_controller_forgery_protection { false }
 
       rails_controller_instance.run_callbacks(:process_action) do
         # turn the setting back to default so that form tags generate CSRF tags
-        rails_controller_instance.allow_forgery_protection = rails_controller.allow_forgery_protection
+        rails_controller_forgery_protection { rails_controller.allow_forgery_protection }
 
         yield
       end
@@ -121,7 +132,7 @@ module Rodauth
 
     # Calls the Rails renderer, returning nil if a template is missing.
     def rails_render(*args)
-      return if only_json?
+      return if rails_api_controller?
 
       rails_controller_instance.render_to_string(*args)
     rescue ActionView::MissingTemplate
@@ -148,6 +159,13 @@ module Rodauth
       rails_controller_instance.send(:form_authenticity_token)
     end
 
+    # allows/disables forgery protection
+    def rails_controller_forgery_protection(&value)
+      return if rails_api_controller?
+
+      rails_controller_instance.allow_forgery_protection = value.call
+    end
+
     # Instances of the configured controller with current request's env hash.
     def _rails_controller_instance
       controller    = rails_controller.new
@@ -159,27 +177,29 @@ module Rodauth
     end
 
     if ActionPack.version >= Gem::Version.new("5.0")
-      # Controller class to use for view rendering, CSRF protection, and
-      # running any registered action callbacks and rescue_from handlers.
-      def rails_controller
-        only_json? ? ActionController::API : ActionController::Base
-      end
-
       def prepare_rails_controller(controller, rails_request)
         controller.set_request! rails_request
         controller.set_response! rails_controller.make_response!(rails_request)
       end
     else
-      def rails_controller
-        ActionController::Base
-      end
-
       def prepare_rails_controller(controller, rails_request)
         controller.send(:set_response!, rails_request)
         controller.instance_variable_set(:@_request, rails_request)
       end
     end
 
+    def rails_api_controller?
+      defined?(ActionController::API) && rails_controller <= ActionController::API
+    end
+
+    def rails_controller
+      if only_json? && Rodauth::Rails.api_only?
+        ActionController::API
+      else
+        ActionController::Base
+      end
+    end
+
     # ActionMailer subclass for correct email delivering.
     class Mailer < ActionMailer::Base
       def create_email(**options)

data/lib/rodauth/rails/tasks.rake

@@ -22,7 +22,7 @@ namespace :rodauth do
         "#{path.ljust(padding)}  #{code}"
       end
 
-      puts "\n  #{route_lines.join("\n  ")}"
+      puts "\n  #{route_lines.join("\n  ")}" unless route_lines.empty?
     end
   end
 end

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "0.7.0"
+    VERSION = "0.9.1"
   end
 end

data/rodauth-rails.gemspec

@@ -17,8 +17,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "railties", ">= 4.2", "< 7"
-  spec.add_dependency "rodauth", "~> 2.6"
+  spec.add_dependency "rodauth", "~> 2.9"
   spec.add_dependency "sequel-activerecord_connection", "~> 1.1"
   spec.add_dependency "tilt"
   spec.add_dependency "bcrypt"
+
+  spec.add_development_dependency "jwt"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.9.1
 platform: ruby
 authors:
 - Janko Marohnić
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-27 00:00:00.000000000 Z
+date: 2021-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.9'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
@@ -86,6 +86,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Provides Rails integration for Rodauth.
 email:
 - janko.marohnic@gmail.com
@@ -187,7 +201,6 @@ files:
 - lib/generators/rodauth/templates/db/migrate/create_rodauth.rb
 - lib/generators/rodauth/views_generator.rb
 - lib/rodauth-rails.rb
-- lib/rodauth/features/rails.rb
 - lib/rodauth/rails.rb
 - lib/rodauth/rails/app.rb
 - lib/rodauth/rails/app/flash.rb
@@ -203,7 +216,7 @@ homepage: https://github.com/janko/rodauth-rails
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -218,8 +231,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Provides Rails integration for Rodauth.
 test_files: []

data/lib/rodauth/features/rails.rb

@@ -1 +0,0 @@
-require "rodauth/rails/feature"