rodauth-rails 1.2.1 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43bfba245fc25ff73659728066a02b0227b0041823547767a10fb7025f354329
-  data.tar.gz: 8e66a69d20e07b882e633330d27f7fafde524ba8e7af0052c83025bf101c3c10
+  metadata.gz: 4e268594e5890725cbba25ee24ab158df204ada3789aeebe428b737307128d9e
+  data.tar.gz: dca778863032dc428ac44b5feca48fe430ef55ea64f4e10050293d1c1a3d95c6
 SHA512:
-  metadata.gz: e94b952207b08ba887d4168e442c669d15d04af11a0dada8f56d38f572ca1c662b0160067c2680cc984a203afe7cb443c1e3d9893544e9920655f4159c463d7f
-  data.tar.gz: 56562e10ef5f361511fe090265b6647056f9befa8ba3d2095c90a5e07f18e4e61ba202a6dad28289ccaded5ba096a535ff38a98096e034d811f0749bcc1a1207
+  metadata.gz: 9008b2381959811820eca625f68c5df7ec2021319ceb2c7bdf6c75412f32ea51f01ffabd716da73f6565e263e0a74699c2c940a70296adf0b9c0b8576ef8e3de
+  data.tar.gz: 4b0d70d43ff624b610bcded93a528b089d103f11975b7fdec9c8bd38b1f81b5c003de2fa1e4068f2c2006841f91783044280fa575ec5951b2ae319f4836a49b7

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## 1.3.1 (2022-04-22)
+
+* Ensure response status is logged when calling a halting rodauth method inside a controller (@janko)
+
+## 1.3.0 (2022-04-01)
+
+* Store password hash on the `accounts` table in generated Rodauth migration and configuration (@janko)
+
+* Add support for controller testing with Minitest or RSpec (@janko)
+
+* Fix `enum` declaration in generated `Account` model for Active Record < 7.0 (@janko)
+
+* Ensure `require_login_redirect` points to the login page even if the login route changes (@janko)
+
+## 1.2.2 (2022-02-22)
+
+* Fix flash messages not being preserved through consecutive redirects (@janko)
+
 ## 1.2.1 (2022-02-19)
 
 * Change `accounts.status` column type from string to integer (@zhongsheng)

data/README.md

@@ -10,7 +10,6 @@ Provides Rails integration for the [Rodauth] authentication framework.
 * [Rails demo](https://github.com/janko/rodauth-demo-rails)
 * [JSON API guide](https://github.com/janko/rodauth-rails/wiki/JSON-API)
 * [OmniAuth guide](https://github.com/janko/rodauth-rails/wiki/OmniAuth)
-* [Testing guide](https://github.com/janko/rodauth-rails/wiki/Testing)
 
 🎥 Screencasts:
 
@@ -40,7 +39,7 @@ of the advantages that stand out for me:
 * consistent before/after hooks around everything
 * dedicated object encapsulating all authentication logic
 
-One commmon concern is the fact that, unlike most other authentication
+One common concern is the fact that, unlike most other authentication
 frameworks for Rails, Rodauth uses [Sequel] for database interaction instead of
 Active Record. There are good reasons for this, and to make Rodauth work
 smoothly alongside Active Record, rodauth-rails configures Sequel to [reuse
@@ -783,6 +782,86 @@ Rodauth::Rails.rodauth(session: { two_factor_auth_setup: true })
 Rodauth::Rails.rodauth(:admin, params: { "param" => "value" })
 ```
 
+## Testing
+
+For system and integration tests, which run the whole middleware stack,
+authentication can be exercised normally via HTTP endpoints. See [this wiki
+page](https://github.com/janko/rodauth-rails/wiki/Testing) for some examples.
+
+For controller tests, you can log in accounts by modifying the session:
+
+```rb
+# app/controllers/articles_controller.rb
+class ArticlesController < ApplicationController
+  before_action -> { rodauth.require_authentication }
+
+  def index
+    # ...
+  end
+end
+```
+```rb
+# test/controllers/articles_controller_test.rb
+class ArticlesControllerTest < ActionController::TestCase
+  test "required authentication" do
+    get :index
+
+    assert_response 302
+    assert_redirected_to "/login"
+    assert_equal "Please login to continue", flash[:alert]
+
+    account = Account.create!(email: "user@example.com", password: "secret", status: "verified")
+    login(account)
+
+    get :index
+    assert_response 200
+
+    logout
+
+    get :index
+    assert_response 302
+    assert_equal "Please login to continue", flash[:alert]
+  end
+
+  private
+
+  # Manually modify the session into what Rodauth expects.
+  def login(account)
+    session[:account_id] = account.id
+    session[:authenticated_by] = ["password"] # or ["password", "totp"] for MFA
+  end
+
+  def logout
+    session.clear
+  end
+end
+```
+
+If you're using multiple configurations with different session prefixes, you'll need
+to make sure to use those in controller tests as well:
+
+```rb
+class RodauthAdmin < Rodauth::Rails::Auth
+  configure do
+    session_key_prefix "admin_"
+  end
+end
+```
+```rb
+# in a controller test:
+session[:admin_account_id] = account.id
+session[:admin_authenticated_by] = ["password"]
+```
+
+If you want to access the Rodauth instance in controller tests, you can do so
+through the controller instance:
+
+```rb
+# in a controller test:
+@controller.rodauth         #=> #<RodauthMain ...>
+@controller.rodauth(:admin) #=> #<RodauthAdmin ...>
+```
+
 ## Configuring
 
 ### Configuration methods

data/lib/generators/rodauth/migration/base.erb

@@ -3,23 +3,18 @@ enable_extension "citext"
 
 <% end -%>
 create_table :accounts<%= primary_key_type %> do |t|
+  t.integer :status, null: false, default: 1
 <% case activerecord_adapter -%>
 <% when "postgresql" -%>
   t.citext :email, null: false
 <% else -%>
   t.string :email, null: false
 <% end -%>
-  t.integer :status, null: false, default: 1
 <% case activerecord_adapter -%>
 <% when "postgresql", "sqlite3" -%>
   t.index :email, unique: true, where: "status IN (1, 2)"
 <% else -%>
   t.index :email, unique: true
 <% end -%>
-end
-
-# Used if storing password hashes in a separate table (default)
-create_table :account_password_hashes<%= primary_key_type %> do |t|
-  t.foreign_key :accounts, column: :id
-  t.string :password_hash, null: false
+  t.string :password_hash
 end

data/lib/generators/rodauth/templates/app/misc/rodauth_main.rb

@@ -35,7 +35,7 @@ class RodauthMain < Rodauth::Rails::Auth
     account_status_column :status
 
     # Store password hash in a column instead of a separate table.
-    # account_password_hash_column :password_digest
+    account_password_hash_column :password_hash
 
     # Set password when creating account instead of when verifying.
     verify_account_set_password? false
@@ -138,6 +138,9 @@ class RodauthMain < Rodauth::Rails::Auth
 
     # Redirect to login page after password reset.
     reset_password_redirect { login_path }
+
+    # Ensure requiring login follows login route changes.
+    require_login_redirect { login_path }
 <% end -%>
 
     # ==> Deadlines

data/lib/generators/rodauth/templates/app/models/account.rb

@@ -1,4 +1,8 @@
 class Account < ApplicationRecord
   include Rodauth::Rails.model
+<% if ActiveRecord.version >= Gem::Version.new("7.0") -%>
   enum :status, unverified: 1, verified: 2, closed: 3
+<% else -%>
+  enum status: { unverified: 1, verified: 2, closed: 3 }
+<% end -%>
 end

data/lib/rodauth/rails/app.rb

@@ -5,17 +5,21 @@ module Rodauth
   module Rails
     # The superclass for creating a Rodauth middleware.
     class App < Roda
-      require "rodauth/rails/app/middleware"
-      plugin Middleware
+      plugin :middleware, forward_response_headers: true do |middleware|
+        middleware.class_eval do
+          def self.inspect
+            "#{superclass}::Middleware"
+          end
+
+          def inspect
+            "#<#{self.class.inspect} request=#{request.inspect} response=#{response.inspect}>"
+          end
+        end
+      end
 
       plugin :hooks
       plugin :render, layout: false
 
-      unless Rodauth::Rails.api_only?
-        require "rodauth/rails/app/flash"
-        plugin Flash
-      end
-
       def self.configure(*args, **options, &block)
         auth_class = args.shift if args[0].is_a?(Class)
         name       = args.shift if args[0].is_a?(Symbol)
@@ -35,6 +39,14 @@ module Rodauth
         end
       end
 
+      after do
+        rails_request.commit_flash
+      end unless ActionPack.version < Gem::Version.new("5.0")
+
+      def flash
+        rails_request.flash
+      end
+
       def rails_routes
         ::Rails.application.routes.url_helpers
       end

data/lib/rodauth/rails/controller_methods.rb

@@ -18,6 +18,15 @@ module Rodauth
 
       private
 
+      # Adds response status to instrumentation payload for logging,
+      # when calling a halting rodauth method inside a controller.
+      def append_info_to_payload(payload)
+        super
+        if request.env["rodauth.rails.status"]
+          payload[:status] = request.env.delete("rodauth.rails.status")
+        end
+      end
+
       def rodauth_response
         res = catch(:halt) { return yield }
 

data/lib/rodauth/rails/feature/base.rb

@@ -54,6 +54,16 @@ module Rodauth
 
         private
 
+        unless ActionPack.version < Gem::Version.new("5.0")
+          # When calling a Rodauth method that redirects inside the Rails
+          # router, Roda's after hook that commits the flash would never get
+          # called, so we make sure to commit the flash beforehand.
+          def redirect(*)
+            rails_request.commit_flash
+            super
+          end
+        end
+
         def instantiate_rails_account
           if defined?(ActiveRecord::Base) && rails_account_model < ActiveRecord::Base
             rails_account_model.instantiate(account.stringify_keys)

data/lib/rodauth/rails/feature/instrumentation.rb

@@ -10,6 +10,14 @@ module Rodauth
 
         def redirect(*)
           rails_instrument_redirection { super }
+        ensure
+          request.env["rodauth.rails.status"] = response.status
+        end
+
+        def return_response(*)
+          super
+        ensure
+          request.env["rodauth.rails.status"] = response.status
         end
 
         def rails_render(*)

data/lib/rodauth/rails/railtie.rb

@@ -1,5 +1,6 @@
 require "rodauth/rails/middleware"
 require "rodauth/rails/controller_methods"
+require "rodauth/rails/test"
 
 require "rails"
 
@@ -21,6 +22,14 @@ module Rodauth
       initializer "rodauth.test" do
         # Rodauth uses RACK_ENV to set the default bcrypt hash cost
         ENV["RACK_ENV"] = "test" if ::Rails.env.test?
+
+        if ActionPack.version >= Gem::Version.new("5.0")
+          ActiveSupport.on_load(:action_controller_test_case) do
+            include Rodauth::Rails::Test::Controller
+          end
+        else
+          ActionController::TestCase.include Rodauth::Rails::Test::Controller
+        end
       end
 
       rake_tasks do

data/lib/rodauth/rails/test/controller.rb

@@ -0,0 +1,41 @@
+require "active_support/concern"
+
+module Rodauth
+  module Rails
+    module Test
+      module Controller
+        extend ActiveSupport::Concern
+
+        included do
+          setup :setup_rodauth
+        end
+
+        def process(*)
+          catch_rodauth { super }
+        end
+        ruby2_keywords(:process) if respond_to?(:ruby2_keywords, true)
+
+        private
+
+        def setup_rodauth
+          Rodauth::Rails.app.opts[:rodauths].each do |name, auth_class|
+            scope = auth_class.roda_class.new(request.env)
+            request.env[["rodauth", *name].join(".")] = auth_class.new(scope)
+          end
+        end
+
+        def catch_rodauth(&block)
+          result = catch(:halt, &block)
+
+          if result.is_a?(Array) # rodauth response
+            response.status = result[0]
+            response.headers.merge! result[1]
+            response.body = result[2]
+          end
+
+          response
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/rails/test.rb

@@ -0,0 +1,7 @@
+module Rodauth
+  module Rails
+    module Test
+      autoload :Controller, "rodauth/rails/test/controller"
+    end
+  end
+end

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "1.2.1"
+    VERSION = "1.3.1"
   end
 end

data/rodauth-rails.gemspec

@@ -17,7 +17,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "railties", ">= 4.2", "< 8"
-  spec.add_dependency "rodauth", "~> 2.19"
+  spec.add_dependency "rodauth", "~> 2.23"
+  spec.add_dependency "roda", "~> 3.55"
   spec.add_dependency "sequel-activerecord_connection", "~> 1.1"
   spec.add_dependency "tilt"
   spec.add_dependency "bcrypt"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.1
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-19 00:00:00.000000000 Z
+date: 2022-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -36,14 +36,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.19'
+        version: '2.23'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.19'
+        version: '2.23'
+- !ruby/object:Gem::Dependency
+  name: roda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.55'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.55'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
@@ -230,8 +244,6 @@ files:
 - lib/rodauth-rails.rb
 - lib/rodauth/rails.rb
 - lib/rodauth/rails/app.rb
-- lib/rodauth/rails/app/flash.rb
-- lib/rodauth/rails/app/middleware.rb
 - lib/rodauth/rails/auth.rb
 - lib/rodauth/rails/controller_methods.rb
 - lib/rodauth/rails/feature.rb
@@ -247,6 +259,8 @@ files:
 - lib/rodauth/rails/model/associations.rb
 - lib/rodauth/rails/railtie.rb
 - lib/rodauth/rails/tasks.rake
+- lib/rodauth/rails/test.rb
+- lib/rodauth/rails/test/controller.rb
 - lib/rodauth/rails/version.rb
 - rodauth-rails.gemspec
 homepage: https://github.com/janko/rodauth-rails

data/lib/rodauth/rails/app/flash.rb

@@ -1,46 +0,0 @@
-module Rodauth
-  module Rails
-    class App
-      # Roda plugin that sets up Rails flash integration.
-      module Flash
-        def self.load_dependencies(app)
-          app.plugin :hooks
-        end
-
-        def self.configure(app)
-          app.before { request.flash }        # load flash
-          app.after  { request.commit_flash } # save flash
-        end
-
-        module InstanceMethods
-          def flash
-            request.flash
-          end
-        end
-
-        module RequestMethods
-          # If the redirect would bubble up outside of the Roda app, the after
-          # hook would never get called, so we make sure to commit the flash.
-          def redirect(*)
-            commit_flash
-            super
-          end
-
-          def flash
-            scope.rails_request.flash
-          end
-
-          if ActionPack.version >= Gem::Version.new("5.0")
-            def commit_flash
-              scope.rails_request.commit_flash
-            end
-          else
-            def commit_flash
-              # ActionPack 4.2 automatically commits flash
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rodauth/rails/app/middleware.rb

@@ -1,36 +0,0 @@
-module Rodauth
-  module Rails
-    class App
-      # Roda plugin that extends middleware plugin by propagating response headers.
-      module Middleware
-        def self.configure(app)
-          handle_result = -> (env, res) do
-            if headers = env.delete("rodauth.rails.headers")
-              res[1] = headers.merge(res[1])
-            end
-          end
-
-          app.plugin :middleware, handle_result: handle_result do |middleware|
-            middleware.plugin :hooks
-
-            middleware.after do
-              if response.empty? && response.headers.any?
-                env["rodauth.rails.headers"] = response.headers
-              end
-            end
-
-            middleware.class_eval do
-              def self.inspect
-                "#{superclass}::Middleware"
-              end
-
-              def inspect
-                "#<#{self.class.inspect} request=#{request.inspect} response=#{response.inspect}>"
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end