rodauth-rails 1.6.2 → 1.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/README.md +28 -27
- data/lib/generators/rodauth/templates/app/misc/rodauth_main.rb +6 -1
- data/lib/rodauth/rails/app.rb +5 -1
- data/lib/rodauth/rails/feature/base.rb +8 -4
- data/lib/rodauth/rails/feature/callbacks.rb +2 -0
- data/lib/rodauth/rails/feature/csrf.rb +4 -2
- data/lib/rodauth/rails/feature/email.rb +4 -2
- data/lib/rodauth/rails/feature/instrumentation.rb +2 -0
- data/lib/rodauth/rails/feature/internal_request.rb +2 -0
- data/lib/rodauth/rails/feature/render.rb +4 -2
- data/lib/rodauth/rails/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e133150815312f4fec4d4c03685b7a762b285860f72cd4594c5d034b58c8d37f
|
|
4
|
+
data.tar.gz: 10623324c6d20a69973f48faf950563d76ddffa1eb70f39cf82872b1318042ee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a8b8d22356e108f7e7a6a4025958639546e2fd957a1115f5faf3faf187c136072c7aac1ab130e04a925637a77c31b99326c92d6e43cbc363b6bba3a89188718d
|
|
7
|
+
data.tar.gz: a5b40c767d34b94f8485d61cb0bd45021108ce927ee16892e72c2095c31a7091c75229bfd971f029227e5a24355de4f090cb75f5d974be9b7c267a5032e2e7c8
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
## 1.6.3 (2022-11-15)
|
|
2
|
+
|
|
3
|
+
* Suggest passing an integer to `verify_account_grace_period` instead of `ActiveSupport::Duration` (@vlado)
|
|
4
|
+
|
|
5
|
+
* Use `pass` plugin for forwarding other `{prefix}/*` requests when automatically routing the prefix (@janko)
|
|
6
|
+
|
|
7
|
+
* Set minimum password length to 8 in the generated configuration, as per OWASP recommendation (@janko)
|
|
8
|
+
|
|
9
|
+
* Set maximum password bytesize to 72 in the generated configuration, as bcrypt truncates inputs longer than 72 bytes (@janko)
|
|
10
|
+
|
|
1
11
|
## 1.6.2 (2022-09-19)
|
|
2
12
|
|
|
3
13
|
* Use matching precision for current timestamp default values in Active Record 7.0+ migrations on MySQL (@janko)
|
data/README.md
CHANGED
|
@@ -48,19 +48,12 @@ Active Record's database connection][sequel-activerecord_connection].
|
|
|
48
48
|
|
|
49
49
|
## Installation
|
|
50
50
|
|
|
51
|
-
Add the gem to your
|
|
51
|
+
Add the gem to your project:
|
|
52
52
|
|
|
53
|
-
```
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
# gem "jwt", require: false # for JWT feature
|
|
57
|
-
# gem "rotp", require: false # for OTP feature
|
|
58
|
-
# gem "rqrcode", require: false # for OTP feature
|
|
59
|
-
# gem "webauthn", require: false # for WebAuthn feature
|
|
53
|
+
```sh
|
|
54
|
+
$ bundle add rodauth-rails
|
|
60
55
|
```
|
|
61
56
|
|
|
62
|
-
Then run `bundle install`.
|
|
63
|
-
|
|
64
57
|
Next, run the install generator:
|
|
65
58
|
|
|
66
59
|
```sh
|
|
@@ -143,36 +136,44 @@ authentication experience, and the forms use [Bootstrap] markup.
|
|
|
143
136
|
|
|
144
137
|
### Current account
|
|
145
138
|
|
|
146
|
-
The `#
|
|
147
|
-
|
|
148
|
-
|
|
139
|
+
The Rodauth object defines a `#rails_account` method, which returns a model
|
|
140
|
+
instance of the currently logged in account. You can create a helper method for
|
|
141
|
+
easy access from controllers and views:
|
|
149
142
|
|
|
150
143
|
```rb
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
```
|
|
144
|
+
class ApplicationController < ActionController::Base
|
|
145
|
+
private
|
|
154
146
|
|
|
155
|
-
|
|
156
|
-
|
|
147
|
+
def current_account
|
|
148
|
+
rodauth.rails_account
|
|
149
|
+
end
|
|
150
|
+
helper_method :current_account # skip if inheriting from ActionController::API
|
|
151
|
+
end
|
|
152
|
+
```
|
|
157
153
|
|
|
158
154
|
```rb
|
|
159
|
-
current_account
|
|
155
|
+
current_account #=> #<Account id=123 email="user@example.com">
|
|
156
|
+
current_account.email #=> "user@example.com"
|
|
160
157
|
```
|
|
161
158
|
|
|
162
|
-
|
|
159
|
+
If the session is logged in, but the account doesn't exist in the database, the
|
|
160
|
+
session will be reset.
|
|
163
161
|
|
|
164
162
|
#### Custom account model
|
|
165
163
|
|
|
166
|
-
The `#
|
|
167
|
-
the configured table name.
|
|
168
|
-
|
|
164
|
+
The `#rails_account` method will try to infer the account model class from
|
|
165
|
+
the configured table name. For example, if the `accounts_table` is set to
|
|
166
|
+
`:users`, it will automatically assume the model class of `User`.
|
|
167
|
+
|
|
168
|
+
However, if the model class cannot be inferred from the table name, you can
|
|
169
|
+
configure it manually:
|
|
169
170
|
|
|
170
171
|
```rb
|
|
171
172
|
# app/misc/rodauth_main.rb
|
|
172
173
|
class RodauthMain < Rodauth::Rails::Auth
|
|
173
174
|
configure do
|
|
174
175
|
# ...
|
|
175
|
-
rails_account_model Authentication::Account # custom model name
|
|
176
|
+
rails_account_model { Authentication::Account } # custom model name
|
|
176
177
|
end
|
|
177
178
|
end
|
|
178
179
|
```
|
|
@@ -526,7 +527,7 @@ handles both storing the password hash in a column on the accounts table, or in
|
|
|
526
527
|
a separate table.
|
|
527
528
|
|
|
528
529
|
```rb
|
|
529
|
-
account = Account.create!(email: "user@example.com", password: "
|
|
530
|
+
account = Account.create!(email: "user@example.com", password: "secret123")
|
|
530
531
|
|
|
531
532
|
# when password hash is stored in a column on the accounts table
|
|
532
533
|
account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
|
|
@@ -649,7 +650,7 @@ end
|
|
|
649
650
|
```
|
|
650
651
|
```rb
|
|
651
652
|
# primary configuration
|
|
652
|
-
RodauthApp.rodauth.create_account(login: "user@example.com", password: "
|
|
653
|
+
RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret123")
|
|
653
654
|
RodauthApp.rodauth.verify_account(account_login: "user@example.com")
|
|
654
655
|
|
|
655
656
|
# secondary configuration
|
|
@@ -744,7 +745,7 @@ class ArticlesControllerTest < ActionController::TestCase
|
|
|
744
745
|
assert_redirected_to "/login"
|
|
745
746
|
assert_equal "Please login to continue", flash[:alert]
|
|
746
747
|
|
|
747
|
-
account = Account.create!(email: "user@example.com", password: "
|
|
748
|
+
account = Account.create!(email: "user@example.com", password: "secret123", status: "verified")
|
|
748
749
|
login(account)
|
|
749
750
|
|
|
750
751
|
get :index
|
|
@@ -40,6 +40,11 @@ class RodauthMain < Rodauth::Rails::Auth
|
|
|
40
40
|
# Store password hash in a column instead of a separate table.
|
|
41
41
|
account_password_hash_column :password_hash
|
|
42
42
|
|
|
43
|
+
# Passwords shorter than 8 characters are considered weak according to OWASP.
|
|
44
|
+
password_minimum_length 8
|
|
45
|
+
# bcrypt has a maximum input length of 72 bytes, truncating any extra bytes.
|
|
46
|
+
password_maximum_bytes 72
|
|
47
|
+
|
|
43
48
|
# Set password when creating account instead of when verifying.
|
|
44
49
|
verify_account_set_password? false
|
|
45
50
|
|
|
@@ -150,7 +155,7 @@ class RodauthMain < Rodauth::Rails::Auth
|
|
|
150
155
|
|
|
151
156
|
# ==> Deadlines
|
|
152
157
|
# Change default deadlines for some actions.
|
|
153
|
-
# verify_account_grace_period 3.days
|
|
158
|
+
# verify_account_grace_period 3.days.to_i
|
|
154
159
|
# reset_password_deadline_interval Hash[hours: 6]
|
|
155
160
|
# verify_login_change_deadline_interval Hash[days: 2]
|
|
156
161
|
<% unless jwt? -%>
|
data/lib/rodauth/rails/app.rb
CHANGED
|
@@ -19,6 +19,7 @@ module Rodauth
|
|
|
19
19
|
|
|
20
20
|
plugin :hooks
|
|
21
21
|
plugin :render, layout: false
|
|
22
|
+
plugin :pass
|
|
22
23
|
|
|
23
24
|
def self.configure(*args, **options, &block)
|
|
24
25
|
auth_class = args.shift if args[0].is_a?(Class)
|
|
@@ -30,6 +31,7 @@ module Rodauth
|
|
|
30
31
|
|
|
31
32
|
plugin :rodauth, auth_class: auth_class, name: name, csrf: false, flash: false, json: true, **options, &block
|
|
32
33
|
|
|
34
|
+
# we need to do it after request methods from rodauth have been included
|
|
33
35
|
self::RodaRequest.include RequestMethods
|
|
34
36
|
end
|
|
35
37
|
|
|
@@ -66,13 +68,15 @@ module Rodauth
|
|
|
66
68
|
end
|
|
67
69
|
|
|
68
70
|
module RequestMethods
|
|
71
|
+
# Automatically route the prefix if it hasn't been routed already. This
|
|
72
|
+
# way people only have to update prefix in their Rodauth configurations.
|
|
69
73
|
def rodauth(name = nil)
|
|
70
74
|
prefix = scope.rodauth(name).prefix
|
|
71
75
|
|
|
72
76
|
if prefix.present? && remaining_path == path_info
|
|
73
77
|
on prefix[1..-1] do
|
|
74
78
|
super
|
|
75
|
-
|
|
79
|
+
pass # forward other {prefix}/* requests downstream
|
|
76
80
|
end
|
|
77
81
|
else
|
|
78
82
|
super
|
|
@@ -1,11 +1,15 @@
|
|
|
1
|
+
require "active_support/concern"
|
|
2
|
+
|
|
1
3
|
module Rodauth
|
|
2
4
|
module Rails
|
|
3
5
|
module Feature
|
|
4
6
|
module Base
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
extend ActiveSupport::Concern
|
|
8
|
+
|
|
9
|
+
included do
|
|
10
|
+
auth_methods :rails_controller
|
|
11
|
+
auth_value_methods :rails_account_model
|
|
12
|
+
auth_cached_method :rails_controller_instance
|
|
9
13
|
end
|
|
10
14
|
|
|
11
15
|
def rails_account
|
|
@@ -2,8 +2,10 @@ module Rodauth
|
|
|
2
2
|
module Rails
|
|
3
3
|
module Feature
|
|
4
4
|
module Render
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
extend ActiveSupport::Concern
|
|
6
|
+
|
|
7
|
+
included do
|
|
8
|
+
auth_methods :rails_render
|
|
7
9
|
end
|
|
8
10
|
|
|
9
11
|
# Renders templates with layout. First tries to render a user-defined
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth-rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Janko Marohnić
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-11-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|