rodauth-rails 0.17.0 → 0.17.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +18 -0
  3. data/lib/generators/rodauth/install_generator.rb +10 -2
  4. data/lib/generators/rodauth/migration/base.erb +8 -2
  5. data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb +1 -1
  6. data/lib/generators/rodauth/templates/app/views/rodauth/_recovery_codes_form.html.erb +1 -1
  7. data/lib/rodauth/rails/feature/csrf.rb +15 -4
  8. data/lib/rodauth/rails/feature/internal_request.rb +16 -20
  9. data/lib/rodauth/rails/version.rb +1 -1
  10. data/lib/rodauth/rails.rb +6 -0
  11. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1539e5f70a8cefa3c40e06b5b177152e4772f099deb11a077f07f59529622a62
4
- data.tar.gz: 67c9a6829f8a9c45708cb1ab0781a2eebe1998d5f31f66b26d5c7f58cb37cdf8
3
+ metadata.gz: 458a4a5552c124a1e7587837bbd57eed020857ae691bcc4b1f2e2639df774bb8
4
+ data.tar.gz: b19da17830585641950d026dff75ebd32ded19ad16dd5fb5c3b8a33c34b0a8f6
5
5
  SHA512:
6
- metadata.gz: bf1f132504de2266dc4ef7f71ffdd630e348119f6681f84288aeb6ba24481336948c78183d4fa7e90100dedc85e04c4bb98f915de3ecf156630d523d91d74c00
7
- data.tar.gz: e1858507c3ee9a2855e04fa67957859f41347adbf448793b8cebe263a0bd95517ef913b4132470a31609be9741ff73e4769309df5924f19b0db0503a1a25fa2a
6
+ metadata.gz: 01d5c774269d260e2805e0a2e4a509d9db81a3a966e94176cd6c5df6d808356feee48c5009b9692e0647034ae1c4d6ea3dc29627fa2000d05821a4402080601a
7
+ data.tar.gz: 1dde8d0ffb4605d3abf7893628a804eca7c0fbc94f2418176651dce81fac14eb4dfe1d165e315288a2a46373b818c795e15e9d58b5ad77f15b1fb5c3d9efc4be
data/CHANGELOG.md CHANGED
@@ -1,3 +1,21 @@
1
+ ## 0.17.1 (2021-10-20)
2
+
3
+ * Skip checking CSRF when request forgery protection wasn't loaded on the controller (@janko)
4
+
5
+ * Create partial unique index for `accounts.email` column when using `sqlite3` adapter (@janko)
6
+
7
+ * Revert setting `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
8
+
9
+ * Disable Turbo in `_recovery_codes_form.html.erb`, since viewing recovery codes isn't Turbo-compatible (@janko)
10
+
11
+ * Generate JSON configuration on `rodauth:install` for API-only with sessions enabled (@janko)
12
+
13
+ * Generate JWT configuration on `rodauth:install` only for API-only apps without sessions enabled (@janko)
14
+
15
+ * Don't generate JWT configuration when `rodauth:install --json` was run in API-only app (@janko)
16
+
17
+ * Use `config.action_mailer.default_url_options` in path_class_methods feature (@janko)
18
+
1
19
  ## 0.17.0 (2021-10-05)
2
20
 
3
21
  * Set `delete_account_on_close?` to `true` in generated `rodauth_app.rb` (@janko)
data/lib/generators/rodauth/install_generator.rb CHANGED
@@ -95,11 +95,11 @@ module Rodauth
95
95
  end
96
96
 
97
97
  def json?
98
- options[:json]
98
+ options[:json] || api_only? && session_store? && !options[:jwt]
99
99
  end
100
100
 
101
101
  def jwt?
102
- options[:jwt] || Rodauth::Rails.api_only?
102
+ options[:jwt] || api_only? && !session_store? && !options[:json]
103
103
  end
104
104
 
105
105
  def migration_features
@@ -107,6 +107,14 @@ module Rodauth
107
107
  features << :remember unless jwt?
108
108
  features
109
109
  end
110
+
111
+ def session_store?
112
+ !!::Rails.application.config.session_store
113
+ end
114
+
115
+ def api_only?
116
+ Rodauth::Rails.api_only?
117
+ end
110
118
  end
111
119
  end
112
120
  end
data/lib/generators/rodauth/migration/base.erb CHANGED
@@ -5,11 +5,17 @@ enable_extension "citext"
5
5
  create_table :accounts<%= primary_key_type %> do |t|
6
6
  <% case activerecord_adapter -%>
7
7
  <% when "postgresql" -%>
8
- t.citext :email, null: false, index: { unique: true, where: "status IN ('unverified', 'verified')" }
8
+ t.citext :email, null: false
9
9
  <% else -%>
10
- t.string :email, null: false, index: { unique: true }
10
+ t.string :email, null: false
11
11
  <% end -%>
12
12
  t.string :status, null: false, default: "unverified"
13
+ <% case activerecord_adapter -%>
14
+ <% when "postgresql", "sqlite3" -%>
15
+ t.index :email, unique: true, where: "status IN ('unverified', 'verified')"
16
+ <% else -%>
17
+ t.index :email, unique: true
18
+ <% end -%>
13
19
  end
14
20
 
15
21
  # Used if storing password hashes in a separate table (default)
data/lib/generators/rodauth/templates/app/lib/rodauth_app.rb CHANGED
@@ -52,7 +52,7 @@ class RodauthApp < Rodauth::Rails::App
52
52
  # reset_password_autologin? true
53
53
 
54
54
  # Delete the account record when the user has closed their account.
55
- delete_account_on_close? true
55
+ # delete_account_on_close? true
56
56
 
57
57
  # Redirect to the app from login and registration pages if already logged in.
58
58
  # already_logged_in { redirect login_redirect }
data/lib/generators/rodauth/templates/app/views/rodauth/_recovery_codes_form.html.erb CHANGED
@@ -1,4 +1,4 @@
1
- <%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post do %>
1
+ <%%= form_tag <%= rodauth %>.recovery_codes_path, method: :post, data: { turbo: false } do %>
2
2
  <%%= render "password_field" if <%= rodauth %>.two_factor_modifications_require_password? %>
3
3
  <%%= render "submit",
4
4
  value: <%= rodauth %>.recovery_codes_button || "View Authentication Recovery Codes",
data/lib/rodauth/rails/feature/csrf.rb CHANGED
@@ -13,23 +13,23 @@ module Rodauth
13
13
 
14
14
  # Render Rails CSRF tags in Rodauth templates.
15
15
  def csrf_tag(*)
16
- rails_csrf_tag
16
+ rails_csrf_tag if rails_controller_csrf?
17
17
  end
18
18
 
19
19
  # Verify Rails' authenticity token.
20
20
  def check_csrf
21
- rails_check_csrf!
21
+ rails_check_csrf! if rails_controller_csrf?
22
22
  end
23
23
 
24
24
  # Have Rodauth call #check_csrf automatically.
25
25
  def check_csrf?
26
- true
26
+ rails_check_csrf? if rails_controller_csrf?
27
27
  end
28
28
 
29
29
  private
30
30
 
31
31
  def rails_controller_callbacks
32
- return super if rails_api_controller?
32
+ return super unless rails_controller_csrf?
33
33
 
34
34
  # don't verify CSRF token as part of callbacks, Rodauth will do that
35
35
  rails_controller_instance.allow_forgery_protection = false
@@ -40,6 +40,12 @@ module Rodauth
40
40
  end
41
41
  end
42
42
 
43
+ # Checks whether ActionController::RequestForgeryProtection is included
44
+ # and that protect_from_forgery was called.
45
+ def rails_check_csrf?
46
+ !!rails_controller_instance.forgery_protection_strategy
47
+ end
48
+
43
49
  # Calls the controller to verify the authenticity token.
44
50
  def rails_check_csrf!
45
51
  rails_controller_instance.send(:verify_authenticity_token)
@@ -59,6 +65,11 @@ module Rodauth
59
65
  def rails_csrf_token
60
66
  rails_controller_instance.send(:form_authenticity_token)
61
67
  end
68
+
69
+ # Checks whether ActionController::RequestForgeryProtection is included.
70
+ def rails_controller_csrf?
71
+ rails_controller.respond_to?(:protect_from_forgery)
72
+ end
62
73
  end
63
74
  end
64
75
  end
data/lib/rodauth/rails/feature/internal_request.rb CHANGED
@@ -2,30 +2,20 @@ module Rodauth
2
2
  module Rails
3
3
  module Feature
4
4
  module InternalRequest
5
- def post_configure
6
- super
7
- return unless internal_request?
8
-
9
- self.class.define_singleton_method(:internal_request) do |route, opts = {}, &blk|
10
- url_options = ::Rails.application.config.action_mailer.default_url_options || {}
5
+ def domain
6
+ return super unless missing_host?
11
7
 
12
- scheme = url_options[:protocol]
13
- port = url_options[:port]
14
- port||= Rack::Request::DEFAULT_PORTS[scheme] if Rack.release < "2"
15
- host = url_options[:host]
16
- host_with_port = host && port ? "#{host}:#{port}" : host
8
+ Rodauth::Rails.url_options[:host]
9
+ end
17
10
 
18
- env = {
19
- "HTTP_HOST" => host_with_port,
20
- "rack.url_scheme" => scheme,
21
- "SERVER_NAME" => host,
22
- "SERVER_PORT" => port,
23
- }.compact
11
+ def base_url
12
+ return super unless missing_host? && domain
24
13
 
25
- opts = opts.merge(env: env) { |k, v1, v2| v2.merge(v1) }
14
+ url_options = Rodauth::Rails.url_options
26
15
 
27
- super(route, opts, &blk)
28
- end
16
+ url = "#{url_options[:protocol]}://#{domain}"
17
+ url << ":#{url_options[:port]}" if url_options[:port]
18
+ url
29
19
  end
30
20
 
31
21
  private
@@ -44,6 +34,12 @@ module Rodauth
44
34
  return yield if internal_request?
45
35
  super
46
36
  end
37
+
38
+ # Checks whether we're in an internal request and host was not set,
39
+ # or the request doesn't exist such as with path_class_methods feature.
40
+ def missing_host?
41
+ internal_request? && request.host == INVALID_DOMAIN || scope.nil?
42
+ end
47
43
  end
48
44
  end
49
45
  end
data/lib/rodauth/rails/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rodauth
2
2
  module Rails
3
- VERSION = "0.17.0"
3
+ VERSION = "0.17.1"
4
4
  end
5
5
  end
data/lib/rodauth/rails.rb CHANGED
@@ -79,6 +79,12 @@ module Rodauth
79
79
  end
80
80
  end
81
81
 
82
+ def url_options
83
+ options = ::Rails.application.config.action_mailer.default_url_options || {}
84
+ options[:protocol] ||= "http"
85
+ options
86
+ end
87
+
82
88
  def configure
83
89
  yield self
84
90
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.17.0
4
+ version: 0.17.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Janko Marohnić
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-10-05 00:00:00.000000000 Z
11
+ date: 2021-10-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties