rodauth-rails 1.6.1 → 1.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ff93d3c4aca14c931fdf919c2eae17371105b3c4ca6cf584d699892cb705c7b
-  data.tar.gz: 6bb909fe804de850bd1db16c4b0c0099f8755e1f17e874ab8973cfb1563cc88e
+  metadata.gz: e133150815312f4fec4d4c03685b7a762b285860f72cd4594c5d034b58c8d37f
+  data.tar.gz: 10623324c6d20a69973f48faf950563d76ddffa1eb70f39cf82872b1318042ee
 SHA512:
-  metadata.gz: d49446ff0285df582268de3c4dc03eef155d3dea86a3887442412ed7a84469bb4af99781e0771c98edc895ea5c5b614ab549a3042c472108a24567676592fe2e
-  data.tar.gz: c40379f9ec9c15152018fb7e6b0be8cf880ff4b59726615ccb3954ee7bfe529122258fc1f838e4b67581b8cfeff285ff2ad60dcfbb06fc0773eefa3c3ab9ba54
+  metadata.gz: a8b8d22356e108f7e7a6a4025958639546e2fd957a1115f5faf3faf187c136072c7aac1ab130e04a925637a77c31b99326c92d6e43cbc363b6bba3a89188718d
+  data.tar.gz: a5b40c767d34b94f8485d61cb0bd45021108ce927ee16892e72c2095c31a7091c75229bfd971f029227e5a24355de4f090cb75f5d974be9b7c267a5032e2e7c8

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 1.6.3 (2022-11-15)
+
+* Suggest passing an integer to `verify_account_grace_period` instead of `ActiveSupport::Duration` (@vlado)
+
+* Use `pass` plugin for forwarding other `{prefix}/*` requests when automatically routing the prefix (@janko)
+
+* Set minimum password length to 8 in the generated configuration, as per OWASP recommendation (@janko)
+
+* Set maximum password bytesize to 72 in the generated configuration, as bcrypt truncates inputs longer than 72 bytes (@janko)
+
+## 1.6.2 (2022-09-19)
+
+* Use matching precision for current timestamp default values in Active Record 7.0+ migrations on MySQL (@janko)
+
 ## 1.6.1 (2022-09-19)
 
 * Fix argument error when calling `RodauthMailer` in default configuration (@janko)

data/README.md

@@ -48,19 +48,12 @@ Active Record's database connection][sequel-activerecord_connection].
 
 ## Installation
 
-Add the gem to your Gemfile:
+Add the gem to your project:
 
-```rb
-gem "rodauth-rails", "~> 1.0"
-
-# gem "jwt",      require: false # for JWT feature
-# gem "rotp",     require: false # for OTP feature
-# gem "rqrcode",  require: false # for OTP feature
-# gem "webauthn", require: false # for WebAuthn feature
+```sh
+$ bundle add rodauth-rails
 ```
 
-Then run `bundle install`.
-
 Next, run the install generator:
 
 ```sh
@@ -143,36 +136,44 @@ authentication experience, and the forms use [Bootstrap] markup.
 
 ### Current account
 
-The `#current_account` method is defined in controllers and views, which
-returns the model instance of the currently logged in account. If the account
-doesn't exist in the database, the session will be cleared.
+The Rodauth object defines a `#rails_account` method, which returns a model
+instance of the currently logged in account. You can create a helper method for
+easy access from controllers and views:
 
 ```rb
-current_account #=> #<Account id=123 email="user@example.com">
-current_account.email #=> "user@example.com"
-```
+class ApplicationController < ActionController::Base
+  private
 
-Pass the configuration name to retrieve accounts belonging to other Rodauth
-configurations:
+  def current_account
+    rodauth.rails_account
+  end
+  helper_method :current_account # skip if inheriting from ActionController::API
+end
+```
 
 ```rb
-current_account(:admin)
+current_account #=> #<Account id=123 email="user@example.com">
+current_account.email #=> "user@example.com"
 ```
 
-This just delegates to the `#rails_account` method on the Rodauth object.
+If the session is logged in, but the account doesn't exist in the database, the
+session will be reset.
 
 #### Custom account model
 
-The `#current_account` method will try to infer the account model class from
-the configured table name. If that fails, you can set the account model
-manually:
+The `#rails_account` method will try to infer the account model class from
+the configured table name. For example, if the `accounts_table` is set to
+`:users`, it will automatically assume the model class of `User`.
+
+However, if the model class cannot be inferred from the table name, you can
+configure it manually:
 
 ```rb
 # app/misc/rodauth_main.rb
 class RodauthMain < Rodauth::Rails::Auth
   configure do
     # ...
-    rails_account_model Authentication::Account # custom model name
+    rails_account_model { Authentication::Account } # custom model name
   end
 end
 ```
@@ -526,7 +527,7 @@ handles both storing the password hash in a column on the accounts table, or in
 a separate table.
 
 ```rb
-account = Account.create!(email: "user@example.com", password: "secret")
+account = Account.create!(email: "user@example.com", password: "secret123")
 
 # when password hash is stored in a column on the accounts table
 account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
@@ -649,7 +650,7 @@ end
 ```
 ```rb
 # primary configuration
-RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret")
+RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret123")
 RodauthApp.rodauth.verify_account(account_login: "user@example.com")
 
 # secondary configuration
@@ -744,7 +745,7 @@ class ArticlesControllerTest < ActionController::TestCase
     assert_redirected_to "/login"
     assert_equal "Please login to continue", flash[:alert]
 
-    account = Account.create!(email: "user@example.com", password: "secret", status: "verified")
+    account = Account.create!(email: "user@example.com", password: "secret123", status: "verified")
     login(account)
 
     get :index

data/lib/generators/rodauth/migration_generator.rb

@@ -110,9 +110,19 @@ module Rodauth
 
           def current_timestamp
             if ActiveRecord.version >= Gem::Version.new("5.0")
-              %(-> { "CURRENT_TIMESTAMP" })
+              %(-> { "#{current_timestamp_literal}" })
             else
-              %(OpenStruct.new(quoted_id: "CURRENT_TIMESTAMP"))
+              %(OpenStruct.new(quoted_id: "#{current_timestamp_literal}"))
+            end
+          end
+
+          # Active Record 7+ sets default precision to 6 for timestamp columns,
+          # so we need to ensure we match this when setting the default value.
+          def current_timestamp_literal
+            if ActiveRecord.version >= Gem::Version.new("7.0") && activerecord_adapter == "mysql2" && ActiveRecord::Base.connection.supports_datetime_with_precision?
+              "CURRENT_TIMESTAMP(6)"
+            else
+              "CURRENT_TIMESTAMP"
             end
           end
         else # Sequel

data/lib/generators/rodauth/templates/app/misc/rodauth_main.rb

@@ -40,6 +40,11 @@ class RodauthMain < Rodauth::Rails::Auth
     # Store password hash in a column instead of a separate table.
     account_password_hash_column :password_hash
 
+    # Passwords shorter than 8 characters are considered weak according to OWASP.
+    password_minimum_length 8
+    # bcrypt has a maximum input length of 72 bytes, truncating any extra bytes.
+    password_maximum_bytes 72
+
     # Set password when creating account instead of when verifying.
     verify_account_set_password? false
 
@@ -150,7 +155,7 @@ class RodauthMain < Rodauth::Rails::Auth
 
     # ==> Deadlines
     # Change default deadlines for some actions.
-    # verify_account_grace_period 3.days
+    # verify_account_grace_period 3.days.to_i
     # reset_password_deadline_interval Hash[hours: 6]
     # verify_login_change_deadline_interval Hash[days: 2]
 <% unless jwt? -%>

data/lib/rodauth/rails/app.rb

@@ -19,6 +19,7 @@ module Rodauth
 
       plugin :hooks
       plugin :render, layout: false
+      plugin :pass
 
       def self.configure(*args, **options, &block)
         auth_class = args.shift if args[0].is_a?(Class)
@@ -30,6 +31,7 @@ module Rodauth
 
         plugin :rodauth, auth_class: auth_class, name: name, csrf: false, flash: false, json: true, **options, &block
 
+        # we need to do it after request methods from rodauth have been included
         self::RodaRequest.include RequestMethods
       end
 
@@ -66,13 +68,15 @@ module Rodauth
       end
 
       module RequestMethods
+        # Automatically route the prefix if it hasn't been routed already. This
+        # way people only have to update prefix in their Rodauth configurations.
         def rodauth(name = nil)
           prefix = scope.rodauth(name).prefix
 
           if prefix.present? && remaining_path == path_info
             on prefix[1..-1] do
               super
-              break # forward other `{prefix}/*` requests to the rails router
+              pass # forward other {prefix}/* requests downstream
             end
           else
             super

data/lib/rodauth/rails/feature/base.rb

@@ -1,11 +1,15 @@
+require "active_support/concern"
+
 module Rodauth
   module Rails
     module Feature
       module Base
-        def self.included(feature)
-          feature.auth_methods :rails_controller
-          feature.auth_value_methods :rails_account_model
-          feature.auth_cached_method :rails_controller_instance
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods :rails_controller
+          auth_value_methods :rails_account_model
+          auth_cached_method :rails_controller_instance
         end
 
         def rails_account

data/lib/rodauth/rails/feature/callbacks.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module Callbacks
+        extend ActiveSupport::Concern
+
         private
 
         def _around_rodauth

data/lib/rodauth/rails/feature/csrf.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Csrf
-        def self.included(feature)
-          feature.auth_methods(
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods(
             :rails_csrf_tag,
             :rails_csrf_param,
             :rails_csrf_token,

data/lib/rodauth/rails/feature/email.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Email
-        def self.included(feature)
-          feature.depends :email_base
+        extend ActiveSupport::Concern
+
+        included do
+          depends :email_base
         end
 
         private

data/lib/rodauth/rails/feature/instrumentation.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module Instrumentation
+        extend ActiveSupport::Concern
+
         private
 
         def _around_rodauth

data/lib/rodauth/rails/feature/internal_request.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module InternalRequest
+        extend ActiveSupport::Concern
+
         def domain
           return super unless missing_host? && rails_url_options
 

data/lib/rodauth/rails/feature/render.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Render
-        def self.included(feature)
-          feature.auth_methods :rails_render
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods :rails_render
         end
 
         # Renders templates with layout. First tries to render a user-defined

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "1.6.1"
+    VERSION = "1.6.3"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 1.6.1
+  version: 1.6.3
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-19 00:00:00.000000000 Z
+date: 2022-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties