rodauth-rails 1.6.2 → 1.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f29cbaceb49208cac659dd31cbfcb874bf0df2c3b6b0133680f75904ab07a578
-  data.tar.gz: 2c9c7ed9e5d91428f15058274c0896298402e93d22a94c90c7d127e33699a1a7
+  metadata.gz: a49174b3518279a0414854312fe7ce6e5f8c9094b41a39d7e5f89b1860e844aa
+  data.tar.gz: 6a3fe7d3577aaaa944630b874688d6223139cb50877aa700157b537eeea97f35
 SHA512:
-  metadata.gz: 546070f740b95f26d8f29b632672339215383737e9b6497c64d613c3c07929052477022a4e70051254d267a037c7b794448674aa99927d26edb4322cf274f778
-  data.tar.gz: 638ecc60b072197c490180a8241ed5af02ed3d6114f3cf5aa2e621ced9296e175d6d5b579543e43d23283164d3193551eb68efd54b2ef3b68cb79f49462397d8
+  metadata.gz: 7ef86cb7557eb8aadf205ea5593332e678e6165768aa4288d6ba50456d608fff0eca2c4ce33bd767111ac5a6f07a4fae00d39fd9957ead4198abb4d40816fc77
+  data.tar.gz: 22158dec21b5cb2d5b6b77fc29c34515bf7cf90febafa87c576536a31f96866fb404f488d1970cd0db9fae2503b6dc274318e017311d6a6b0eb765e00e714776

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 1.6.4 (2022-11-24)
+
+* Make `#rails_account` work on directly allocated Rodauth object with `@account` set (@janko)
+
+* Add commented out email configuration for `password_reset_notify` feature (@janko)
+
+* Design generated mailer in a way that exposes the Rodauth object (@janko)
+
+* Fix generated logout page always logging out globally when using active sessions feature (@janko)
+
+## 1.6.3 (2022-11-15)
+
+* Suggest passing an integer to `verify_account_grace_period` instead of `ActiveSupport::Duration` (@vlado)
+
+* Use `pass` plugin for forwarding other `{prefix}/*` requests when automatically routing the prefix (@janko)
+
+* Set minimum password length to 8 in the generated configuration, as per OWASP recommendation (@janko)
+
+* Set maximum password bytesize to 72 in the generated configuration, as bcrypt truncates inputs longer than 72 bytes (@janko)
+
 ## 1.6.2 (2022-09-19)
 
 * Use matching precision for current timestamp default values in Active Record 7.0+ migrations on MySQL (@janko)

data/README.md

@@ -40,26 +40,27 @@ of the advantages that stand out for me:
 * consistent before/after hooks around everything
 * dedicated object encapsulating all authentication logic
 
-One common concern is the fact that, unlike most other authentication
-frameworks for Rails, Rodauth uses [Sequel] for database interaction instead of
-Active Record. There are good reasons for this, and to make Rodauth work
-smoothly alongside Active Record, rodauth-rails configures Sequel to [reuse
-Active Record's database connection][sequel-activerecord_connection].
+### Sequel
 
-## Installation
+One common concern for people coming from other Rails authentication frameworks
+is the fact that Rodauth uses [Sequel] for database interaction instead of
+Active Record. Sequel has powerful APIs for building advanced queries,
+supporting complex SQL expressions, database-agnostic date arithmetic, SQL
+function calls and more, all without having to drop down to raw SQL.
 
-Add the gem to your Gemfile:
+For Rails apps using Active Record, rodauth-rails configures Sequel to [reuse
+Active Record's database connection][sequel-activerecord_connection]. This
+makes it run smoothly alongside Active Record, even allowing calling Active
+Record code from within Rodauth configuration. So, for all intents and
+purposes, Sequel can be treated just as an implementation detail of Rodauth.
 
-```rb
-gem "rodauth-rails", "~> 1.0"
+## Installation
 
-# gem "jwt",      require: false # for JWT feature
-# gem "rotp",     require: false # for OTP feature
-# gem "rqrcode",  require: false # for OTP feature
-# gem "webauthn", require: false # for WebAuthn feature
-```
+Add the gem to your project:
 
-Then run `bundle install`.
+```sh
+$ bundle add rodauth-rails
+```
 
 Next, run the install generator:
 
@@ -143,36 +144,44 @@ authentication experience, and the forms use [Bootstrap] markup.
 
 ### Current account
 
-The `#current_account` method is defined in controllers and views, which
-returns the model instance of the currently logged in account. If the account
-doesn't exist in the database, the session will be cleared.
+The Rodauth object defines a `#rails_account` method, which returns a model
+instance of the currently logged in account. You can create a helper method for
+easy access from controllers and views:
 
 ```rb
-current_account #=> #<Account id=123 email="user@example.com">
-current_account.email #=> "user@example.com"
-```
+class ApplicationController < ActionController::Base
+  private
 
-Pass the configuration name to retrieve accounts belonging to other Rodauth
-configurations:
+  def current_account
+    rodauth.rails_account
+  end
+  helper_method :current_account # skip if inheriting from ActionController::API
+end
+```
 
 ```rb
-current_account(:admin)
+current_account #=> #<Account id=123 email="user@example.com">
+current_account.email #=> "user@example.com"
 ```
 
-This just delegates to the `#rails_account` method on the Rodauth object.
+If the session is logged in, but the account doesn't exist in the database, the
+session will be reset.
 
 #### Custom account model
 
-The `#current_account` method will try to infer the account model class from
-the configured table name. If that fails, you can set the account model
-manually:
+The `#rails_account` method will try to infer the account model class from
+the configured table name. For example, if the `accounts_table` is set to
+`:users`, it will automatically assume the model class of `User`.
+
+However, if the model class cannot be inferred from the table name, you can
+configure it manually:
 
 ```rb
 # app/misc/rodauth_main.rb
 class RodauthMain < Rodauth::Rails::Auth
   configure do
     # ...
-    rails_account_model Authentication::Account # custom model name
+    rails_account_model { Authentication::Account } # custom model name
   end
 end
 ```
@@ -526,7 +535,7 @@ handles both storing the password hash in a column on the accounts table, or in
 a separate table.
 
 ```rb
-account = Account.create!(email: "user@example.com", password: "secret")
+account = Account.create!(email: "user@example.com", password: "secret123")
 
 # when password hash is stored in a column on the accounts table
 account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
@@ -649,7 +658,7 @@ end
 ```
 ```rb
 # primary configuration
-RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret")
+RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret123")
 RodauthApp.rodauth.verify_account(account_login: "user@example.com")
 
 # secondary configuration
@@ -719,10 +728,9 @@ Rodauth::Rails.rodauth(:admin, params: { "param" => "value" })
 ## Testing
 
 For system and integration tests, which run the whole middleware stack,
-authentication can be exercised normally via HTTP endpoints. See [this wiki
-page](https://github.com/janko/rodauth-rails/wiki/Testing) for some examples.
+authentication can be exercised normally via HTTP endpoints. For example, given
+a controller
 
-For controller tests, you can log in accounts by modifying the session:
 
 ```rb
 # app/controllers/articles_controller.rb
@@ -734,9 +742,23 @@ class ArticlesController < ApplicationController
   end
 end
 ```
+
+One can write `ActionDispatch::IntegrationTest` test helpers for `login` and
+`logout` by making requests to the rodauth endpoints
+
 ```rb
 # test/controllers/articles_controller_test.rb
-class ArticlesControllerTest < ActionController::TestCase
+class ArticlesControllerTest < ActionDispatch::IntegrationTest
+  def login(login, password)
+    post "/login", params: { login: login, password: password }
+    assert_redirected_to "/"
+  end
+
+  def logout
+    post "/logout"
+    assert_redirected_to "/"
+  end
+  
   test "required authentication" do
     get :index
 
@@ -744,8 +766,8 @@ class ArticlesControllerTest < ActionController::TestCase
     assert_redirected_to "/login"
     assert_equal "Please login to continue", flash[:alert]
 
-    account = Account.create!(email: "user@example.com", password: "secret", status: "verified")
-    login(account)
+    account = Account.create!(email: "user@example.com", password: "secret123", status: "verified")
+    login(account.email, "secret123")
 
     get :index
     assert_response 200
@@ -756,45 +778,11 @@ class ArticlesControllerTest < ActionController::TestCase
     assert_response 302
     assert_equal "Please login to continue", flash[:alert]
   end
-
-  private
-
-  # Manually modify the session into what Rodauth expects.
-  def login(account)
-    session[:account_id] = account.id
-    session[:authenticated_by] = ["password"] # or ["password", "totp"] for MFA
-  end
-
-  def logout
-    session.clear
-  end
 end
 ```
 
-If you're using multiple configurations with different session prefixes, you'll need
-to make sure to use those in controller tests as well:
-
-```rb
-class RodauthAdmin < Rodauth::Rails::Auth
-  configure do
-    session_key_prefix "admin_"
-  end
-end
-```
-```rb
-# in a controller test:
-session[:admin_account_id] = account.id
-session[:admin_authenticated_by] = ["password"]
-```
-
-If you want to access the Rodauth instance in controller tests, you can do so
-through the controller instance:
-
-```rb
-# in a controller test:
-@controller.rodauth         #=> #<RodauthMain ...>
-@controller.rodauth(:admin) #=> #<RodauthAdmin ...>
-```
+For more examples and information about testing with rodauth, see
+[this wiki page about testing](https://github.com/janko/rodauth-rails/wiki/Testing). 
 
 ## Configuring
 
@@ -1068,19 +1056,6 @@ end
 <% rodauth(:admin) #=> #<RodauthAdmin> (if using multiple configurations) %>
 ```
 
-### Sequel
-
-Rodauth uses the [Sequel] library for database interaction, which offers
-powerful APIs for building advanced queries (it supports SQL expressions,
-database-agnostic date arithmetic, SQL function calls).
-
-If you're using Active Record in your application, the `rodauth:install`
-generator automatically configures Sequel to reuse ActiveRecord's database
-connection, using the [sequel-activerecord_connection] gem.
-
-This means that, from the usage perspective, Sequel can be considered just
-as an implementation detail of Rodauth.
-
 ## Rodauth defaults
 
 rodauth-rails changes some of the default Rodauth settings for easier setup:

data/lib/generators/rodauth/templates/app/mailers/rodauth_mailer.rb

@@ -1,64 +1,60 @@
 class RodauthMailer < ApplicationMailer
   def verify_account(name, account_id, key)
-    @email_link = email_link(name, :verify_account, account_id, key)
-    @account = find_account(name, account_id)
+    @rodauth = rodauth(name, account_id) { @verify_account_key_value = key }
+    @account = @rodauth.rails_account
 
-    mail to: @account.email, subject: rodauth(name).verify_account_email_subject
+    mail to: @account.email, subject: @rodauth.verify_account_email_subject
   end
 
   def reset_password(name, account_id, key)
-    @email_link = email_link(name, :reset_password, account_id, key)
-    @account = find_account(name, account_id)
+    @rodauth = rodauth(name, account_id) { @reset_password_key_value = key }
+    @account = @rodauth.rails_account
 
-    mail to: @account.email, subject: rodauth(name).reset_password_email_subject
+    mail to: @account.email, subject: @rodauth.reset_password_email_subject
   end
 
   def verify_login_change(name, account_id, key)
-    @email_link = email_link(name, :verify_login_change, account_id, key)
-    @account = find_account(name, account_id)
+    @rodauth = rodauth(name, account_id) { @verify_login_change_key_value = key }
+    @account = @rodauth.rails_account
     @new_email = @account.login_change_key.login
 
-    mail to: @new_email, subject: rodauth(name).verify_login_change_email_subject
+    mail to: @new_email, subject: @rodauth.verify_login_change_email_subject
   end
 
   def password_changed(name, account_id)
-    @account = find_account(name, account_id)
+    @rodauth = rodauth(name, account_id)
+    @account = @rodauth.rails_account
 
-    mail to: @account.email, subject: rodauth(name).password_changed_email_subject
+    mail to: @account.email, subject: @rodauth.password_changed_email_subject
   end
 
+  # def reset_password_notify(name, account_id)
+  #   @rodauth = rodauth(name, account_id)
+  #   @account = @rodauth.rails_account
+
+  #   mail to: @account.email, subject: @rodauth.reset_password_notify_email_subject
+  # end
+
   # def email_auth(name, account_id, key)
-  #   @email_link = email_link(name, :email_auth, account_id, key)
-  #   @account = find_account(name, account_id)
+  #   @rodauth = rodauth(name, account_id) { @email_auth_key_value = key }
+  #   @account = @rodauth.rails_account
 
-  #   mail to: @account.email, subject: rodauth(name).email_auth_email_subject
+  #   mail to: @account.email, subject: @rodauth.email_auth_email_subject
   # end
 
   # def unlock_account(name, account_id, key)
-  #   @email_link = email_link(name, :unlock_account, account_id, key)
-  #   @account = find_account(name, account_id)
+  #   @rodauth = rodauth(name, account_id) { @unlock_account_key_value = key }
+  #   @account = @rodauth.rails_account
 
-  #   mail to: @account.email, subject: rodauth(name).unlock_account_email_subject
+  #   mail to: @account.email, subject: @rodauth.unlock_account_email_subject
   # end
 
   private
 
-  def find_account(_name, account_id)
-<% if defined?(ActiveRecord::Railtie) -%>
-    Account.find(account_id)
-<% else -%>
-    Account.with_pk!(account_id)
-<% end -%>
-  end
-
-  def email_link(name, action, account_id, key)
-    instance = rodauth(name)
-    instance.instance_variable_set(:@account, { id: account_id })
-    instance.instance_variable_set(:"@#{action}_key_value", key)
-    instance.public_send(:"#{action}_email_link")
-  end
-
-  def rodauth(name)
-    RodauthApp.rodauth(name).allocate
+  def rodauth(name, account_id, &block)
+    instance = RodauthApp.rodauth(name).allocate
+    instance.instance_eval { @account = account_ds(account_id).first! }
+    instance.instance_eval(&block) if block
+    instance
   end
 end

data/lib/generators/rodauth/templates/app/misc/rodauth_main.rb

@@ -40,6 +40,11 @@ class RodauthMain < Rodauth::Rails::Auth
     # Store password hash in a column instead of a separate table.
     account_password_hash_column :password_hash
 
+    # Passwords shorter than 8 characters are considered weak according to OWASP.
+    password_minimum_length 8
+    # bcrypt has a maximum input length of 72 bytes, truncating any extra bytes.
+    password_maximum_bytes 72
+
     # Set password when creating account instead of when verifying.
     verify_account_set_password? false
 
@@ -71,6 +76,9 @@ class RodauthMain < Rodauth::Rails::Auth
     create_password_changed_email do
       RodauthMailer.password_changed(self.class.configuration_name, account_id)
     end
+    # create_reset_password_notify_email do
+    #   RodauthMailer.reset_password_notify(self.class.configuration_name, account_id)
+    # end
     # create_email_auth_email do
     #   RodauthMailer.email_auth(self.class.configuration_name, account_id, email_auth_key_value)
     # end
@@ -150,7 +158,7 @@ class RodauthMain < Rodauth::Rails::Auth
 
     # ==> Deadlines
     # Change default deadlines for some actions.
-    # verify_account_grace_period 3.days
+    # verify_account_grace_period 3.days.to_i
     # reset_password_deadline_interval Hash[hours: 6]
     # verify_login_change_deadline_interval Hash[days: 2]
 <% unless jwt? -%>

data/lib/generators/rodauth/templates/app/views/rodauth/logout.html.erb

@@ -2,7 +2,7 @@
   <% if rodauth.features.include?(:active_sessions) %>
     <div class="form-group mb-3">
       <div class="form-check">
-        <%= form.check_box rodauth.global_logout_param, id: "global-logout", class: "form-check-input" %>
+        <%= form.check_box rodauth.global_logout_param, id: "global-logout", class: "form-check-input", include_hidden: false %>
         <%= form.label "global-logout", rodauth.global_logout_label, class: "form-check-label" %>
       </div>
     </div>

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/email_auth.text.erb

@@ -1,5 +1,5 @@
 Someone has requested a login link for the account with this email
 address.  If you did not request a login link, please ignore this
 message.  If you requested a login link, please go to
-<%= @email_link %>
+<%= @rodauth.email_auth_email_link %>
 to login to this account.

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/reset_password.text.erb

@@ -1,5 +1,5 @@
 Someone has requested a password reset for the account with this email
 address.  If you did not request a password reset, please ignore this
 message.  If you requested a password reset, please go to
-<%= @email_link %>
+<%= @rodauth.reset_password_email_link %>
 to reset the password for the account.

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/reset_password_notify.text.erb

@@ -0,0 +1,2 @@
+Someone (hopefully you) has reset the password for the account
+associated to this email address.

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/unlock_account.text.erb

@@ -1,5 +1,5 @@
-Someone has requested that the account with this email be unlocked.
+Someone has requested a that the account with this email be unlocked.
 If you did not request the unlocking of this account, please ignore this
 message.  If you requested the unlocking of this account, please go to
-<%= @email_link %>
+<%= @rodauth.unlock_account_email_link %>
 to unlock this account.

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/verify_account.text.erb

@@ -1,4 +1,4 @@
 Someone has created an account with this email address.  If you did not create
 this account, please ignore this message.  If you created this account, please go to
-<%= @email_link %>
+<%= @rodauth.verify_account_email_link %>
 to verify the account.

data/lib/generators/rodauth/templates/app/views/rodauth_mailer/verify_login_change.text.erb

@@ -6,5 +6,5 @@ New email: <%= @new_email %>
 
 If you did not request this login change, please ignore this message.  If you
 requested this login change, please go to
-<%= @email_link %>
+<%= @rodauth.verify_login_change_email_link %>
 to verify the login change.

data/lib/rodauth/rails/app.rb

@@ -19,6 +19,7 @@ module Rodauth
 
       plugin :hooks
       plugin :render, layout: false
+      plugin :pass
 
       def self.configure(*args, **options, &block)
         auth_class = args.shift if args[0].is_a?(Class)
@@ -30,6 +31,7 @@ module Rodauth
 
         plugin :rodauth, auth_class: auth_class, name: name, csrf: false, flash: false, json: true, **options, &block
 
+        # we need to do it after request methods from rodauth have been included
         self::RodaRequest.include RequestMethods
       end
 
@@ -66,13 +68,15 @@ module Rodauth
       end
 
       module RequestMethods
+        # Automatically route the prefix if it hasn't been routed already. This
+        # way people only have to update prefix in their Rodauth configurations.
         def rodauth(name = nil)
           prefix = scope.rodauth(name).prefix
 
           if prefix.present? && remaining_path == path_info
             on prefix[1..-1] do
               super
-              break # forward other `{prefix}/*` requests to the rails router
+              pass # forward other {prefix}/* requests downstream
             end
           else
             super

data/lib/rodauth/rails/feature/base.rb

@@ -1,15 +1,19 @@
+require "active_support/concern"
+
 module Rodauth
   module Rails
     module Feature
       module Base
-        def self.included(feature)
-          feature.auth_methods :rails_controller
-          feature.auth_value_methods :rails_account_model
-          feature.auth_cached_method :rails_controller_instance
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods :rails_controller
+          auth_value_methods :rails_account_model
+          auth_cached_method :rails_controller_instance
         end
 
         def rails_account
-          return unless logged_in?
+          return unless account || logged_in?
 
           account_from_session unless account
 

data/lib/rodauth/rails/feature/callbacks.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module Callbacks
+        extend ActiveSupport::Concern
+
         private
 
         def _around_rodauth

data/lib/rodauth/rails/feature/csrf.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Csrf
-        def self.included(feature)
-          feature.auth_methods(
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods(
             :rails_csrf_tag,
             :rails_csrf_param,
             :rails_csrf_token,

data/lib/rodauth/rails/feature/email.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Email
-        def self.included(feature)
-          feature.depends :email_base
+        extend ActiveSupport::Concern
+
+        included do
+          depends :email_base
         end
 
         private

data/lib/rodauth/rails/feature/instrumentation.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module Instrumentation
+        extend ActiveSupport::Concern
+
         private
 
         def _around_rodauth

data/lib/rodauth/rails/feature/internal_request.rb

@@ -2,6 +2,8 @@ module Rodauth
   module Rails
     module Feature
       module InternalRequest
+        extend ActiveSupport::Concern
+
         def domain
           return super unless missing_host? && rails_url_options
 

data/lib/rodauth/rails/feature/render.rb

@@ -2,8 +2,10 @@ module Rodauth
   module Rails
     module Feature
       module Render
-        def self.included(feature)
-          feature.auth_methods :rails_render
+        extend ActiveSupport::Concern
+
+        included do
+          auth_methods :rails_render
         end
 
         # Renders templates with layout. First tries to render a user-defined

data/lib/rodauth/rails/version.rb

@@ -1,5 +1,5 @@
 module Rodauth
   module Rails
-    VERSION = "1.6.2"
+    VERSION = "1.6.4"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-rails
 version: !ruby/object:Gem::Version
-  version: 1.6.2
+  version: 1.6.4
 platform: ruby
 authors:
 - Janko Marohnić
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-19 00:00:00.000000000 Z
+date: 2022-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -265,6 +265,7 @@ files:
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/email_auth.text.erb
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/password_changed.text.erb
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/reset_password.text.erb
+- lib/generators/rodauth/templates/app/views/rodauth_mailer/reset_password_notify.text.erb
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/unlock_account.text.erb
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/verify_account.text.erb
 - lib/generators/rodauth/templates/app/views/rodauth_mailer/verify_login_change.text.erb