rodauth-rails 0.9.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8f8aec1dbdc745a530aabec0d63bc2681499dd36f8185faed9ea09e7184636e
-  data.tar.gz: fbc5a75976a922978a6e37fee3bef8e7f04bb0a9a324066afdf79172b33f00e9
+  metadata.gz: 4cc138f57505a1bbf92267e02b8d9b87f50c0dd9b6c114891f649c0b15878637
+  data.tar.gz: 28fc8264a8629dd186a446a4d067167d572f8ea58b65c742f12f81a5192221db
 SHA512:
-  metadata.gz: 89d2f6ad377ba8e3f18bc747c3bfdf53e97c1a29f2731036987e5f7c1fde14db89732cda2d09026a153d81eabe26e51e021a129f02517d4d5582fcaf392876ca
-  data.tar.gz: 648b1297a9569b436113b5921a9ae37944d808ed42a03ef57a75452a74143dcc493e7d9c34a12f31f780745db5d2b1365d5a7b602dfa303571961730566852f4
+  metadata.gz: 74645990b10677d44503f272a63300465881c6e596b514ce0e1d1607689d8ace60c5e70a79c952256ad73bf704a8d268e27af3da8cdb617c5b381f752b302c4b
+  data.tar.gz: 1525c4a51d4323e348ee2dc117e5ef320214f42f385549f5646af1d8e1792bfeac2be3f220b473873aed8fc72f4448aade9848b82fdd2c348874f8b4950e4631

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.10.0 (2021-03-23)
+
+* Add `Rodauth::Rails::Auth` superclass for moving configurations into separate files (@janko)
+
+* Load the `pass` Roda plugin and recommend calling `r.pass` on prefixed routes (@janko)
+
+* Improve Roda middleware inspect output (@janko)
+
+* Create `RodauthMailer` and email templates in `rodauth:install`, and remove `rodauth:mailer` (@janko)
+
+* Raise `KeyError` in `#rodauth` method when the Rodauth instance doesn't exist (@janko)
+
+* Add `Rodauth::Rails.authenticated` routing constraint for requiring authentication (@janko)
+
 ## 0.9.1 (2021-02-10)
 
 * Fix flash integration being loaded for API-only apps and causing an error (@dmitryzuev)

data/README.md

@@ -83,7 +83,7 @@ documentation][hmac] for instructions on how to safely transition, or just set
 Add the gem to your Gemfile:
 
 ```rb
-gem "rodauth-rails", "~> 0.9"
+gem "rodauth-rails", "~> 0.10"
 
 # gem "jwt",      require: false # for JWT feature
 # gem "rotp",     require: false # for OTP feature
@@ -116,6 +116,7 @@ The generator will create the following files:
 * Rodauth app at `app/lib/rodauth_app.rb`
 * Rodauth controller at `app/controllers/rodauth_controller.rb`
 * Account model at `app/models/account.rb`
+* Rodauth mailer at `app/mailers/rodauth_mailer.rb` with views
 
 ### Migration
 
@@ -211,6 +212,23 @@ class Account < ApplicationRecord
 end
 ```
 
+### Rodauth mailer
+
+The default Rodauth app is configured to use `RodauthMailer` mailer
+for sending authentication emails.
+
+```rb
+# app/mailers/rodauth_mailer.rb
+class RodauthMailer < ApplicationMailer
+  def verify_account(recipient, email_link) ... end
+  def reset_password(recipient, email_link) ... end
+  def verify_login_change(recipient, old_login, new_login, email_link) ... end
+  def password_changed(recipient) ... end
+  # def email_auth(recipient, email_link) ... end
+  # def unlock_account(recipient, email_link) ... end
+end
+```
+
 ## Usage
 
 ### Routes
@@ -272,7 +290,7 @@ class ApplicationController < ActionController::Base
     rodauth.logout
     rodauth.login_required
   end
-  helper_method :current_account
+  helper_method :current_account # skip if inheriting from ActionController:API
 end
 ```
 
@@ -330,15 +348,52 @@ class PostsController < ApplicationController
 end
 ```
 
-Or at the Rails router level:
+#### Routing constraints
+
+You can also require authentication at the Rails router level by
+using a built-in `authenticated` routing constraint:
 
 ```rb
 # config/routes.rb
 Rails.application.routes.draw do
-  constraints -> (r) { r.env["rodauth"].require_authentication } do
-    namespace :admin do
-      # ...
-    end
+  constraints Rodauth::Rails.authenticated do
+    # ... authenticated routes ...
+  end
+end
+```
+
+If you want additional conditions, you can pass in a block, which is
+called with the Rodauth instance:
+
+```rb
+# config/routes.rb
+Rails.application.routes.draw do
+  # require multifactor authentication to be setup
+  constraints Rodauth::Rails.authenticated { |rodauth| rodauth.uses_two_factor_authentication? } do
+    # ...
+  end
+end
+```
+
+You can specify the Rodauth configuration by passing the configuration name:
+
+```rb
+# config/routes.rb
+Rails.application.routes.draw do
+  constraints Rodauth::Rails.authenticated(:admin) do
+    # ...
+  end
+end
+```
+
+If you need something more custom, you can always create the routing constraint
+manually:
+
+```rb
+# config/routes.rb
+Rails.application.routes.draw do
+  constraints -> (r) { !r.env["rodauth"].logged_in? } do # or "rodauth.admin"
+    # routes when the user is not logged in
   end
 end
 ```
@@ -406,54 +461,33 @@ end
 
 ### Mailer
 
-Depending on the features you've enabled, Rodauth may send emails as part of
-the authentication flow. Most email settings can be customized:
+The install generator will create `RodauthMailer` with default email templates,
+and configure Rodauth features that send emails as part of the authentication
+flow to use it.
 
 ```rb
-# app/lib/rodauth_app.rb
-class RodauthApp < Rodauth::Rails::App
-  # ...
-  configure do
+# app/mailers/rodauth_mailer.rb
+class RodauthMailer < ApplicationMailer
+  def verify_account(recipient, email_link)
     # ...
-    # general settings
-    email_from "no-reply@myapp.com"
-    email_subject_prefix "[MyApp] "
-    send_email(&:deliver_later)
+  end
+  def reset_password(recipient, email_link)
     # ...
-    # feature settings
-    verify_account_email_subject "Verify your account"
-    verify_account_email_body { "Verify your account by visting this link: #{verify_account_email_link}" }
+  end
+  def verify_login_change(recipient, old_login, new_login, email_link)
     # ...
   end
+  def password_changed(recipient)
+    # ...
+  end
+  # def email_auth(recipient, email_link)
+  # ...
+  # end
+  # def unlock_account(recipient, email_link)
+  # ...
+  # end
 end
 ```
-
-This is convenient when starting out, but eventually you might want to use your
-own mailer. You can start by running the following command:
-
-```sh
-$ rails generate rodauth:mailer
-```
-
-This will create a `RodauthMailer` with the associated mailer views in
-`app/views/rodauth_mailer` directory:
-
-```rb
-# app/mailers/rodauth_mailer.rb
-class RodauthMailer < ApplicationMailer
-  def verify_account(recipient, email_link) ... end
-  def reset_password(recipient, email_link) ... end
-  def verify_login_change(recipient, old_login, new_login, email_link) ... end
-  def password_changed(recipient) ... end
-  # def email_auth(recipient, email_link) ... end
-  # def unlock_account(recipient, email_link) ... end
-end
-```
-
-You can then uncomment the lines in your Rodauth configuration to have it call
-your mailer. If you've enabled additional authentication features that send
-emails, make sure to override their `create_*_email` methods as well.
-
 ```rb
 # app/lib/rodauth_app.rb
 class RodauthApp < Rodauth::Rails::App
@@ -487,10 +521,17 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-This approach can be used even if you're using a 3rd-party service for
-transactional emails, where emails are sent via HTTP instead of SMTP. Whatever
-the `create_*_email` block returns will be passed to `send_email`, so you can
-be creative.
+The above configuration uses `#deliver_later`, which assumes Active Job is
+configured. It's generally recommended to send emails in a background job,
+for better throughput and ability to retry. However, if you want to send emails
+synchronously, you can modify the code to call `#deliver` instead.
+
+The `#send_email` method will receive whatever object is returned by the
+`#create_*_email` methods. But if that doesn't suit you, you can override
+`#send_*_email` methods instead, which are expected to send the email
+immediately. This might work better in scenarios such as using a 3rd-party
+service for transactional emails, where emails are sent via HTTP instead of
+SMTP.
 
 ### Migrations
 
@@ -531,12 +572,20 @@ class RodauthApp < Rodauth::Rails::App
     prefix "/admin"
     session_key_prefix "admin_"
     remember_cookie_key "_admin_remember" # if using remember feature
+
+    # if you want separate tables
+    accounts_table :admin_accounts
+    password_hash_table :admin_account_password_hashes
     # ...
   end
 
   route do |r|
     r.rodauth
-    r.on("admin") { r.rodauth(:admin) }
+
+    r.on "admin" do
+      r.rodauth(:admin)
+      r.pass # allow the Rails app to handle other "/admin/*" requests
+    end
     # ...
   end
 end
@@ -548,6 +597,98 @@ Then in your application you can reference the secondary Rodauth instance:
 rodauth(:admin).login_path #=> "/admin/login"
 ```
 
+#### Named auth classes
+
+A `configure` block inside `Rodauth::Rails::App` will internally create an
+anonymous `Rodauth::Auth` subclass, and register it under the given name.
+However, you can also define the auth classes explicitly, by creating
+subclasses of `Rodauth::Rails::Auth`:
+
+```rb
+# app/lib/rodauth_main.rb
+class RodauthMain < Rodauth::Rails::Auth
+  configure do
+    # ... main configuration ...
+  end
+end
+```
+```rb
+# app/lib/rodauth_admin.rb
+class RodauthAdmin < Rodauth::Rails::Auth
+  configure do
+    # ...
+    prefix "/admin"
+    session_key_prefix "admin_"
+    # ...
+  end
+end
+```
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure RodauthMain
+  configure RodauthAdmin, :admin
+  # ...
+end
+```
+
+This allows having each configuration in a dedicated file, and named constants
+improve introspection and error messages. You can also use inheritance to share
+common settings:
+
+```rb
+# app/lib/rodauth_base.rb
+class RodauthBase < Rodauth::Rails::App
+  # common settings that can be shared between multiple configurations
+  configure do
+    enable :login, :logout
+    login_return_to_requested_location? true
+    logout_redirect "/"
+    # ...
+  end
+end
+```
+```rb
+# app/lib/rodauth_main.rb
+class RodauthMain < RodauthBase # inherit common settings
+  configure do
+    # ... customize main ...
+  end
+end
+```
+```rb
+# app/lib/rodauth_admin.rb
+class RodauthAdmin < RodauthBase # inherit common settings
+  configure do
+    # ... customize admin ...
+  end
+end
+```
+
+Another benefit is that you can define custom methods directly on the class
+instead of through `auth_class_eval`:
+
+```rb
+# app/lib/rodauth_admin.rb
+class RodauthAdmin < Rodauth::Rails::Auth
+  configure do
+    # ...
+  end
+
+  def superadmin?
+    Role.where(account_id: session_id).any? { |role| role.name == "superadmin" }
+  end
+end
+```
+```rb
+# config/routes.rb
+Rails.application.routes.draw do
+  constraints Rodauth::Rails.authenticated(:admin) { |rodauth| rodauth.superadmin? } do
+    mount Sidekiq::Web => "sidekiq"
+  end
+end
+```
+
 ### Calling controller methods
 
 When using Rodauth before/after hooks or generally overriding your Rodauth
@@ -922,48 +1063,147 @@ end
 
 ## Testing
 
-If you're writing system tests, it's generally better to go through the actual
-authentication flow with tools like Capybara, and to not use any stubbing.
-
-In functional and integration tests you can just make requests to Rodauth
-routes:
+System (browser) tests for Rodauth actions could look something like this:
 
 ```rb
-# test/controllers/posts_controller_test.rb
-class PostsControllerTest < ActionDispatch::IntegrationTest
-  test "should require authentication" do
-    get posts_url
-    assert_redirected_to "/login"
+# test/system/authentication_test.rb
+require "test_helper"
+
+class AuthenticationTest < ActionDispatch::SystemTestCase
+  include ActiveJob::TestHelper
+  driven_by :rack_test
+
+  test "creating and verifying an account" do
+    create_account
+    assert_match "An email has been sent to you with a link to verify your account", page.text
+
+    verify_account
+    assert_match "Your account has been verified", page.text
+  end
+
+  test "logging in and logging out" do
+    create_account(verify: true)
+
+    logout
+    assert_match "You have been logged out", page.text
 
     login
-    get posts_url
+    assert_match "You have been logged in", page.text
+  end
+
+  private
+
+  def create_account(email: "user@example.com", password: "secret", verify: false)
+    visit "/create-account"
+    fill_in "Login", with: email
+    fill_in "Password", with: password
+    fill_in "Confirm Password", with: password
+    click_on "Create Account"
+    verify_account if verify
+  end
+
+  def verify_account
+    perform_enqueued_jobs # run enqueued email deliveries
+    email = ActionMailer::Base.deliveries.last
+    verify_account_link = email.body.to_s[/\S+verify-account\S+/]
+    visit verify_account_link
+    click_on "Verify Account"
+  end
+
+  def login(email: "user@example.com", password: "secret")
+    visit "/login"
+    fill_in "Login", with: email
+    fill_in "Password", with: password
+    click_on "Login"
+  end
+
+  def logout
+    visit "/logout"
+    click_on "Logout"
+  end
+end
+```
+
+While request tests in JSON API mode with JWT tokens could look something like
+this:
+
+```rb
+# test/integration/authentication_test.rb
+require "test_helper"
+
+class AuthenticationTest < ActionDispatch::IntegrationTest
+  test "creating and verifying an account" do
+    create_account
     assert_response :success
+    assert_match "An email has been sent to you with a link to verify your account", JSON.parse(body)["success"]
+
+    verify_account
+    assert_response :success
+    assert_match "Your account has been verified", JSON.parse(body)["success"]
+  end
+
+  test "logging in and logging out" do
+    create_account(verify: true)
 
     logout
-    assert_redirected_to "/login"
+    assert_response :success
+    assert_match "You have been logged out", JSON.parse(body)["success"]
+
+    login
+    assert_response :success
+    assert_match "You have been logged in", JSON.parse(body)["success"]
   end
 
   private
 
-  def login(login: "user@example.com", password: "secret")
-    post "/create-account", params: {
-      "login"            => login,
-      "password"         => password,
-      "password-confirm" => password,
-    }
-
-    post "/login", params: {
-      "login"    => login,
-      "password" => password,
-    }
+  def create_account(email: "user@example.com", password: "secret", verify: false)
+    post "/create-account", as: :json, params: { login: email, password: password, "password-confirm": password }
+    verify_account if verify
+  end
+
+  def verify_account
+    perform_enqueued_jobs # run enqueued email deliveries
+    email = ActionMailer::Base.deliveries.last
+    verify_account_key = email.body.to_s[/verify-account\?key=(\S+)/, 1]
+    post "/verify-account", as: :json, params: { key: verify_account_key }
+  end
+
+  def login(email: "user@example.com", password: "secret")
+    post "/login", as: :json, params: { login: email, password: password }
   end
 
   def logout
-    post "/logout"
+    post "/logout", as: :json, headers: { "Authorization" => headers["Authorization"] }
   end
 end
 ```
 
+If you're delivering emails in the background, make sure to set Active Job
+queue adapter to `:test`:
+
+```rb
+# config/environments/test.rb
+Rails.application.configure do |config|
+  # ...
+  config.active_job.queue_adapter = :test
+  # ...
+end
+```
+
+If you need to create the account manually, you can do it as follows:
+
+```rb
+account_id = DB[:accounts].insert(
+  email: "user@example.com",
+  status: "verified",
+)
+
+DB[:account_password_hashes].insert(
+  account_id: account_id,
+  password_hash: BCrypt::Password.create("secret", cost: BCrpyt::Engine::MIN_COST),
+)
+```
+
 ## Rodauth defaults
 
 rodauth-rails changes some of the default Rodauth settings for easier setup:

data/lib/generators/rodauth/install_generator.rb

@@ -10,6 +10,15 @@ module Rodauth
         include ::ActiveRecord::Generators::Migration
         include MigrationHelpers
 
+        MAILER_VIEWS = %w[
+          email_auth
+          password_changed
+          reset_password
+          unlock_account
+          verify_account
+          verify_login_change
+        ]
+
         source_root "#{__dir__}/templates"
         namespace "rodauth:install"
 
@@ -47,6 +56,14 @@ module Rodauth
           template "app/models/account.rb"
         end
 
+        def create_mailer
+          template "app/mailers/rodauth_mailer.rb"
+
+          MAILER_VIEWS.each do |view|
+            template "app/views/rodauth_mailer/#{view}.text.erb"
+          end
+        end
+
         private
 
         def sequel_uri_scheme

data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb

@@ -2,10 +2,10 @@ class RodauthApp < Rodauth::Rails::App
   configure do
     # List of authentication features that are loaded.
     enable :create_account, :verify_account, :verify_account_grace_period,
-      :login, :logout<%= ", :remember" unless jwt? %>,
+      :login, :logout<%= ", :remember" unless jwt? %><%= ", :json" if json? %><%= ", :jwt" if jwt? %>,
       :reset_password, :change_password, :change_password_notify,
       :change_login, :verify_login_change,
-      :close_account<%= ", :json" if json? %><%= ", :jwt" if jwt? %>
+      :close_account
 
     # See the Rodauth documentation for the list of available config options:
     # http://rodauth.jeremyevans.net/documentation.html
@@ -23,6 +23,10 @@ class RodauthApp < Rodauth::Rails::App
 
     # Accept only JSON requests.
     only_json? true
+
+    # Handle login and password confirmation fields on the client side.
+    # require_password_confirmation? false
+    # require_login_confirmation? false
 <% end -%>
 
     # Specify the controller used for view rendering and CSRF verification.
@@ -54,35 +58,29 @@ class RodauthApp < Rodauth::Rails::App
     # already_logged_in { redirect login_redirect }
 
     # ==> Emails
-    # Uncomment the lines below once you've imported mailer views.
-    # create_reset_password_email do
-    #   RodauthMailer.reset_password(email_to, reset_password_email_link)
-    # end
-    # create_verify_account_email do
-    #   RodauthMailer.verify_account(email_to, verify_account_email_link)
-    # end
-    # create_verify_login_change_email do |login|
-    #   RodauthMailer.verify_login_change(login, verify_login_change_old_login, verify_login_change_new_login, verify_login_change_email_link)
-    # end
-    # create_password_changed_email do
-    #   RodauthMailer.password_changed(email_to)
+    # Use a custom mailer for delivering authentication emails.
+    create_reset_password_email do
+      RodauthMailer.reset_password(email_to, reset_password_email_link)
+    end
+    create_verify_account_email do
+      RodauthMailer.verify_account(email_to, verify_account_email_link)
+    end
+    create_verify_login_change_email do |login|
+      RodauthMailer.verify_login_change(login, verify_login_change_old_login, verify_login_change_new_login, verify_login_change_email_link)
+    end
+    create_password_changed_email do
+      RodauthMailer.password_changed(email_to)
+    end
+    # create_email_auth_email do
+    #   RodauthMailer.email_auth(email_to, email_auth_email_link)
     # end
-    # # create_email_auth_email do
-    # #   RodauthMailer.email_auth(email_to, email_auth_email_link)
-    # # end
-    # # create_unlock_account_email do
-    # #   RodauthMailer.unlock_account(email_to, unlock_account_email_link)
-    # # end
-    # send_email do |email|
-    #   # queue email delivery on the mailer after the transaction commits
-    #   db.after_commit { email.deliver_later }
+    # create_unlock_account_email do
+    #   RodauthMailer.unlock_account(email_to, unlock_account_email_link)
     # end
-
-    # In the meantime, you can tweak settings for emails created by Rodauth.
-    # email_subject_prefix "[MyApp] "
-    # email_from "noreply@myapp.com"
-    # send_email(&:deliver_later)
-    # reset_password_email_body { "Click here to reset your password: #{reset_password_email_link}" }
+    send_email do |email|
+      # queue email delivery on the mailer after the transaction commits
+      db.after_commit { email.deliver_later }
+    end
 
     # ==> Flash
 <% unless json? || jwt? -%>
@@ -151,7 +149,9 @@ class RodauthApp < Rodauth::Rails::App
     # verify_account_grace_period 3.days
     # reset_password_deadline_interval Hash[hours: 6]
     # verify_login_change_deadline_interval Hash[days: 2]
+<% unless jwt? -%>
     # remember_deadline_interval Hash[days: 30]
+<% end -%>
   end
 
   # ==> Multiple configurations
@@ -187,6 +187,8 @@ class RodauthApp < Rodauth::Rails::App
     #   unless rodauth(:admin).logged_in?
     #     rodauth(:admin).require_http_basic_auth
     #   end
+    #
+    #   r.pass # allow the Rails app to handle other "/admin/*" requests
     # end
   end
 end

data/lib/generators/rodauth/templates/app/mailers/rodauth_mailer.rb

@@ -1,4 +1,4 @@
-class <%= options[:name].camelize %>Mailer < ApplicationMailer
+class RodauthMailer < ApplicationMailer
   def verify_account(recipient, email_link)
     @email_link = email_link
 
@@ -25,13 +25,13 @@ class <%= options[:name].camelize %>Mailer < ApplicationMailer
 
   # def email_auth(recipient, email_link)
   #   @email_link = email_link
-
+  #
   #   mail to: recipient
   # end
 
   # def unlock_account(recipient, email_link)
   #   @email_link = email_link
-
+  #
   #   mail to: recipient
   # end
 end

data/lib/rodauth/rails.rb

@@ -8,6 +8,7 @@ module Rodauth
 
     # This allows the developer to avoid loading Rodauth at boot time.
     autoload :App, "rodauth/rails/app"
+    autoload :Auth, "rodauth/rails/auth"
 
     @app = nil
     @middleware = true
@@ -32,6 +33,15 @@ module Rodauth
         scope.rodauth(name)
       end
 
+      # routing constraint that requires authentication
+      def authenticated(name = nil, &condition)
+        lambda do |request|
+          rodauth = request.env.fetch ["rodauth", *name].join(".")
+          rodauth.require_authentication
+          rodauth.authenticated? && (condition.nil? || condition.call(rodauth))
+        end
+      end
+
       if ::Rails.gem_version >= Gem::Version.new("5.2")
         def secret_key_base
           ::Rails.application.secret_key_base

data/lib/rodauth/rails/app.rb

@@ -1,6 +1,5 @@
 require "roda"
-require "rodauth"
-require "rodauth/rails/feature"
+require "rodauth/rails/auth"
 
 module Rodauth
   module Rails
@@ -11,38 +10,29 @@ module Rodauth
 
       plugin :hooks
       plugin :render, layout: false
+      plugin :pass
 
       unless Rodauth::Rails.api_only?
         require "rodauth/rails/app/flash"
         plugin Flash
       end
 
-      def self.configure(name = nil, **options, &block)
-        plugin :rodauth, name: name, csrf: false, flash: false, json: true, **options do
-          # load the Rails integration
-          enable :rails
+      def self.configure(*args, **options, &block)
+        auth_class = args.shift if args[0].is_a?(Class)
+        name       = args.shift if args[0].is_a?(Symbol)
 
-          # database functions are more complex to set up, so disable them by default
-          use_database_authentication_functions? false
+        fail ArgumentError, "need to pass optional Rodauth::Auth subclass and optional configuration name" if args.any?
 
-          # avoid having to set deadline values in column default values
-          set_deadline_values? true
+        auth_class ||= Class.new(Rodauth::Rails::Auth)
 
-          # use HMACs for additional security
-          hmac_secret { Rodauth::Rails.secret_key_base }
-
-          # evaluate user configuration
-          instance_exec(&block)
+        plugin :rodauth, auth_class: auth_class, name: name, csrf: false, flash: false, json: true, **options do
+          instance_exec(&block) if block
         end
       end
 
       before do
-        (opts[:rodauths] || {}).each do |name, _|
-          if name
-            env["rodauth.#{name}"] = rodauth(name)
-          else
-            env["rodauth"] = rodauth
-          end
+        opts[:rodauths]&.each_key do |name|
+          env[["rodauth", *name].join(".")] = rodauth(name)
         end
       end
     end

data/lib/rodauth/rails/app/middleware.rb

@@ -3,20 +3,30 @@ module Rodauth
     class App
       # Roda plugin that extends middleware plugin by propagating response headers.
       module Middleware
-        def self.load_dependencies(app)
-          app.plugin :hooks
-        end
-
         def self.configure(app)
-          app.after do
-            if response.empty? && response.headers.any?
-              env["rodauth.rails.headers"] = response.headers
+          handle_result = -> (env, res) do
+            if headers = env.delete("rodauth.rails.headers")
+              res[1] = headers.merge(res[1])
             end
           end
 
-          app.plugin :middleware, handle_result: -> (env, res) do
-            if headers = env.delete("rodauth.rails.headers")
-              res[1] = headers.merge(res[1])
+          app.plugin :middleware, handle_result: handle_result do |middleware|
+            middleware.plugin :hooks
+
+            middleware.after do
+              if response.empty? && response.headers.any?
+                env["rodauth.rails.headers"] = response.headers
+              end
+            end
+
+            middleware.class_eval do
+              def self.inspect
+                "#{superclass}::Middleware"
+              end
+
+              def inspect
+                "#<#{self.class.inspect} request=#{request.inspect} response=#{response.inspect}>"
+              end
             end
           end
         end

data/lib/rodauth/rails/auth.rb

@@ -0,0 +1,40 @@
+require "rodauth"
+require "rodauth/rails/feature"
+
+module Rodauth
+  module Rails
+    # Base auth class that applies some default configuration and supports
+    # multi-level inheritance.
+    class Auth < Rodauth::Auth
+      class << self
+        attr_writer :features
+        attr_writer :routes
+        attr_accessor :configuration
+      end
+
+      def self.inherited(auth_class)
+        super
+        auth_class.roda_class = Rodauth::Rails.app
+        auth_class.features = features.dup
+        auth_class.routes = routes.dup
+        auth_class.route_hash = route_hash.dup
+        auth_class.configuration = configuration.clone
+        auth_class.configuration.instance_variable_set(:@auth, auth_class)
+      end
+
+      # apply default configuration
+      configure do
+        enable :rails
+
+        # database functions are more complex to set up, so disable them by default
+        use_database_authentication_functions? false
+
+        # avoid having to set deadline values in column default values
+        set_deadline_values? true
+
+        # use HMACs for additional security
+        hmac_secret { Rodauth::Rails.secret_key_base }
+      end
+    end
+  end
+end

data/lib/rodauth/rails/controller_methods.rb

@@ -9,11 +9,7 @@ module Rodauth
       end
 
       def rodauth(name = nil)
-        if name
-          request.env["rodauth.#{name}"]
-        else
-          request.env["rodauth"]
-        end
+        request.env.fetch ["rodauth", *name].join(".")
       end
     end
   end

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "0.9.1"
+    VERSION = "0.10.0"
   end
 end

data/rodauth-rails.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "railties", ">= 4.2", "< 7"
-  spec.add_dependency "rodauth", "~> 2.9"
+  spec.add_dependency "rodauth", "~> 2.11"
   spec.add_dependency "sequel-activerecord_connection", "~> 1.1"
   spec.add_dependency "tilt"
   spec.add_dependency "bcrypt"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2021-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '2.11'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '2.11'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
@@ -111,7 +111,6 @@ files:
 - LICENSE.txt
 - README.md
 - lib/generators/rodauth/install_generator.rb
-- lib/generators/rodauth/mailer_generator.rb
 - lib/generators/rodauth/migration/account_expiration.erb
 - lib/generators/rodauth/migration/active_sessions.erb
 - lib/generators/rodauth/migration/audit_logging.erb
@@ -205,6 +204,7 @@ files:
 - lib/rodauth/rails/app.rb
 - lib/rodauth/rails/app/flash.rb
 - lib/rodauth/rails/app/middleware.rb
+- lib/rodauth/rails/auth.rb
 - lib/rodauth/rails/controller_methods.rb
 - lib/rodauth/rails/feature.rb
 - lib/rodauth/rails/middleware.rb

data/lib/generators/rodauth/mailer_generator.rb

@@ -1,37 +0,0 @@
-require "rails/generators/base"
-
-module Rodauth
-  module Rails
-    module Generators
-      class MailerGenerator < ::Rails::Generators::Base
-        source_root "#{__dir__}/templates"
-        namespace "rodauth:mailer"
-
-        VIEWS = %w[
-          email_auth
-          password_changed
-          reset_password
-          unlock_account
-          verify_account
-          verify_login_change
-        ]
-
-        class_option :name,
-          desc: "The name for the mailer and the views directory",
-          default: "rodauth"
-
-        def copy_mailer
-          template "app/mailers/rodauth_mailer.rb",
-            "app/mailers/#{options[:name].underscore}_mailer.rb"
-        end
-
-        def copy_mailer_views
-          VIEWS.each do |view|
-            template "app/views/rodauth_mailer/#{view}.text.erb",
-              "app/views/#{options[:name].underscore}_mailer/#{view}.text.erb"
-          end
-        end
-      end
-    end
-  end
-end