rsb-auth 0.9.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: c3eb90b542687f335662080f73af84d46e55348664b2e99193452555715b5772
+  data.tar.gz: 5f980b6c9c0042304eb15c8f7f114461bece133f02bea55ba088006e4c915b34
+SHA512:
+  metadata.gz: f333c9fa678dba4bb82b544178ef99654ffbacf1108b2b2bcb7b89b48196357f2a407710a35ab975113a52521f3d00c8680e0f068ed61f76c5f8a5b1fdae9f0b
+  data.tar.gz: 8b26d96dd17ef6892d025faa04704ce502e01e632be6ae37e06c40cbe756d72c3bfaebdc634ddd9ec026aeca79a89a680b427e16bf6ae92f9cab98648d633358

data/LICENSE

@@ -0,0 +1,15 @@
+Rails SaaS Builder (RSB)
+Copyright (C) 2026 Aleksandr Marchenko
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.

data/README.md

@@ -0,0 +1,76 @@
+# rsb-auth
+
+Identity and authentication engine for Rails SaaS Builder. Provides a flexible identity system with pluggable credential types (email+password, username+password out of the box), session management, password reset, email verification, and user invitations. Extensible via a credential registry for custom auth methods.
+
+## Installation
+
+### As part of Rails SaaS Builder
+
+```ruby
+gem "rails-saas-builder"
+```
+
+### Standalone
+
+```ruby
+gem "rsb-auth"
+```
+
+Then run:
+
+```bash
+bundle install
+rails generate rsb_auth:install
+rails db:migrate
+```
+
+## Key Features
+
+- Pluggable credential types with auto-detection
+- Session management with configurable TTL and max concurrent sessions
+- Email verification with secure token flow
+- Password reset with 2-hour expiry tokens
+- User invitations with 7-day expiry
+- Account management (profile, password change, deletion)
+- Rate limiting and lockout protection
+- Configurable registration modes (open, invite-only, disabled)
+- Extensible identity model via `identity_concerns`
+- Pre-built auth views (login, registration, password reset, account)
+
+## Basic Usage
+
+```ruby
+# Register a credential type
+RSB::Auth.credentials.register(
+  RSB::Auth::CredentialDefinition.new(
+    key: :email_password,
+    class_name: "RSB::Auth::Credential::EmailPassword",
+    authenticatable: true,
+    registerable: true,
+    label: "Email & Password"
+  )
+)
+
+# Extend the Identity model
+RSB::Auth.configure do |config|
+  config.identity_concerns = [MyApp::HasProfile]
+end
+```
+
+## Configuration
+
+```ruby
+RSB::Auth.configure do |config|
+  config.lifecycle_handler = "MyApp::AuthHandler"
+  config.identity_concerns = [MyApp::HasProfile]
+  config.permitted_account_params = [:name, :avatar_url]
+end
+```
+
+## Documentation
+
+Part of [Rails SaaS Builder](../README.md). See the main README for the full picture.
+
+## License
+
+[LGPL-3.0](../LICENSE)

data/Rakefile

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'fileutils'
+require 'rake/testtask'
+
+task :prepare_test_db do
+  ENV['RAILS_ENV'] = 'test'
+  db = File.expand_path('test/dummy/db/test.sqlite3', __dir__)
+  FileUtils.rm_f(db)
+  require_relative 'test/dummy/config/environment'
+  ActiveRecord::Migration.verbose = false
+  ActiveRecord::MigrationContext.new(Rails.application.paths['db/migrate'].to_a).migrate
+  schema = File.expand_path('test/dummy/db/schema.rb', __dir__)
+  File.open(schema, 'w') { |f| ActiveRecord::SchemaDumper.dump(ActiveRecord::Base.connection_pool, f) }
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task test: :prepare_test_db
+task default: :test

data/app/controllers/concerns/rsb/auth/ensure_identity_complete.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    # Opt-in concern for host app controllers that redirects users with
+    # incomplete identities to the account edit page.
+    #
+    # Include in your ApplicationController to enforce profile completion:
+    #
+    # @example
+    #   class ApplicationController < ActionController::Base
+    #     include RSB::Auth::EnsureIdentityComplete
+    #   end
+    #
+    # The concern adds a +before_action+ that checks +current_identity.complete?+
+    # (from RFC-010). If the identity is incomplete, the user is redirected to
+    # +/auth/account+ with a flash message.
+    #
+    # Auth engine routes are skipped to prevent redirect loops (e.g., the account
+    # page itself, login, registration).
+    #
+    module EnsureIdentityComplete
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :ensure_identity_complete
+      end
+
+      private
+
+      # Redirects to account edit if the current identity exists but is incomplete.
+      # Skips check for auth engine routes to prevent redirect loops.
+      #
+      # @return [void]
+      def ensure_identity_complete
+        identity = current_identity_for_completion_check
+        return unless identity
+        return if identity.complete?
+        return if rsb_auth_engine_route?
+
+        redirect_to RSB::Auth::Engine.routes.url_helpers.account_path,
+                    alert: t('rsb.auth.account.complete_profile')
+      end
+
+      # Resolves the current identity from the session cookie so the concern
+      # works in the host app without requiring the host to define +current_identity+.
+      #
+      # @return [RSB::Auth::Identity, nil]
+      def current_identity_for_completion_check
+        session = RSB::Auth::SessionService.new.find_by_token(
+          cookies.signed[:rsb_session_token]
+        )
+        session&.identity
+      end
+
+      # Checks whether the current request is handled by the rsb-auth engine.
+      # Used to skip the completion check on auth routes (login, registration,
+      # account edit) to prevent redirect loops.
+      #
+      # @return [Boolean]
+      def rsb_auth_engine_route?
+        script_name = RSB::Auth::Engine.routes.find_script_name({})
+        return self.class.module_parents.include?(RSB::Auth) if script_name.nil? || script_name.empty?
+
+        request.path.start_with?(script_name)
+      rescue StandardError
+        # Fallback: check if controller is under RSB::Auth namespace
+        self.class.module_parents.include?(RSB::Auth)
+      end
+    end
+  end
+end

data/app/controllers/concerns/rsb/auth/rate_limitable.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module RateLimitable
+      extend ActiveSupport::Concern
+
+      private
+
+      def throttle!(key:, limit: 10, period: 60)
+        cache_key = "rsb_throttle:#{key}:#{request.remote_ip}"
+        count = Rails.cache.increment(cache_key, 1, expires_in: period.seconds, initial: 0)
+
+        return unless count > limit
+
+        render plain: 'Too many requests. Try again later.', status: :too_many_requests
+      end
+    end
+  end
+end

data/app/controllers/rsb/auth/account/login_methods_controller.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Account
+      class LoginMethodsController < RSB::Auth::ApplicationController
+        layout 'rsb/auth/application'
+
+        include RSB::Auth::RateLimitable
+
+        before_action :require_authentication
+        before_action :set_credential
+        before_action -> { throttle!(key: 'change_password', limit: 10, period: 60) }, only: :change_password
+
+        # Renders the login method detail page for a specific credential.
+        # Shows identifier, type, verification status, change password form,
+        # and optional remove button.
+        #
+        # @route GET /auth/account/login_methods/:id
+        def show
+          @can_remove = current_identity.active_credentials.count > 1
+        end
+
+        # Changes the password on a specific credential.
+        # Delegates to AccountService#change_password which verifies the current
+        # password and revokes all other sessions on success.
+        #
+        # @route PATCH /auth/account/login_methods/:id/password
+        def change_password
+          result = RSB::Auth::AccountService.new.change_password(
+            credential: @credential,
+            current_password: params[:current_password],
+            new_password: params[:new_password],
+            new_password_confirmation: params[:new_password_confirmation],
+            current_session: current_session
+          )
+
+          if result.success?
+            redirect_to account_login_method_path(@credential), notice: t('rsb.auth.account.password_changed')
+          else
+            @password_errors = result.errors
+            @can_remove = current_identity.active_credentials.count > 1
+            render :show, status: :unprocessable_entity
+          end
+        end
+
+        # Revokes (removes) a login method.
+        # Guards against removing the last active credential.
+        #
+        # @route DELETE /auth/account/login_methods/:id
+        def destroy
+          if current_identity.active_credentials.count <= 1
+            redirect_to account_path, alert: t('rsb.auth.account.cannot_remove_last')
+            return
+          end
+
+          @credential.revoke!
+          redirect_to account_path, notice: t('rsb.auth.account.login_method_removed')
+        end
+
+        # Resends verification email for an unverified credential.
+        #
+        # @route POST /auth/account/login_methods/:id/resend_verification
+        def resend_verification
+          if @credential.verified?
+            redirect_to account_login_method_path(@credential), alert: t('rsb.auth.account.already_verified')
+            return
+          end
+
+          RSB::Auth::VerificationService.new.send_verification(@credential)
+          redirect_to account_login_method_path(@credential), notice: t('rsb.auth.account.verification_sent')
+        end
+
+        private
+
+        # Scoped to current_identity.active_credentials to prevent:
+        # - Accessing another identity's credentials (RecordNotFound)
+        # - Accessing revoked credentials (not in active scope)
+        def set_credential
+          @credential = current_identity.active_credentials.find(params[:id])
+        end
+      end
+    end
+  end
+end

data/app/controllers/rsb/auth/account/sessions_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    module Account
+      class SessionsController < RSB::Auth::ApplicationController
+        before_action :require_authentication
+
+        # Revokes a specific session belonging to the current identity.
+        # Scoped to current_identity.sessions to prevent accessing
+        # another identity's sessions (raises RecordNotFound).
+        #
+        # @route DELETE /auth/account/sessions/:id
+        def destroy
+          target = current_identity.sessions.find(params[:id])
+          RSB::Auth::SessionService.new.revoke(target)
+          redirect_to account_path, notice: t('rsb.auth.account.session_revoked')
+        end
+
+        # Revokes all active sessions for the current identity except
+        # the current session. The user remains logged in.
+        #
+        # @route DELETE /auth/account/sessions
+        def destroy_all
+          RSB::Auth::SessionService.new.revoke_all(current_identity, except: current_session)
+          redirect_to account_path, notice: t('rsb.auth.account.all_sessions_revoked')
+        end
+      end
+    end
+  end
+end

data/app/controllers/rsb/auth/account_controller.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module RSB
+  module Auth
+    class AccountController < ApplicationController
+      layout 'rsb/auth/application'
+
+      include RSB::Auth::RateLimitable
+      include RSB::Auth::UserAgentHelper
+
+      before_action :require_authentication
+      before_action :check_account_enabled
+      before_action :check_deletion_enabled, only: %i[confirm_destroy destroy]
+
+      # Renders the account hub page with four sections:
+      # login methods, identity fields, active sessions, delete account.
+      #
+      # @route GET /auth/account
+      def show
+        load_account_data
+        @rsb_page_title = t('rsb.auth.account.show.page_title', default: 'Account')
+      end
+
+      # Updates identity attributes (metadata or concern-provided nested attributes).
+      #
+      # @route PATCH /auth/account
+      def update
+        result = RSB::Auth::AccountService.new.update(
+          identity: current_identity,
+          params: account_params
+        )
+
+        if result.success?
+          redirect_to account_path, notice: t('rsb.auth.account.updated')
+        else
+          @errors = result.errors
+          load_account_data
+          render :show, status: :unprocessable_entity
+        end
+      end
+
+      # Renders the password confirmation page before account deletion.
+      #
+      # @route GET /auth/account/confirm_destroy
+      def confirm_destroy; end
+
+      # Soft-deletes the account after password verification.
+      # Clears the session cookie and redirects to login.
+      #
+      # @route DELETE /auth/account
+      def destroy
+        result = RSB::Auth::AccountService.new.delete_account(
+          identity: current_identity,
+          password: params[:password],
+          current_session: current_session
+        )
+
+        if result.success?
+          reset_session
+          cookies.delete(:rsb_session_token)
+          redirect_to new_session_path, notice: t('rsb.auth.account.deleted')
+        else
+          @errors = result.errors
+          render :confirm_destroy, status: :unprocessable_entity
+        end
+      end
+
+      private
+
+      def account_params
+        permitted = RSB::Auth.configuration.permitted_account_params
+        permitted = permitted.flat_map { |p| p == :metadata ? [{ metadata: {} }] : [p] }
+        params.require(:identity).permit(*permitted)
+      rescue ActionController::ParameterMissing
+        {}
+      end
+
+      def load_account_data
+        @identity = current_identity
+        @login_methods = current_identity.active_credentials.order(:created_at)
+        @sessions = current_identity.sessions.active.order(last_active_at: :desc)
+        @current_session = current_session
+        @deletion_enabled = RSB::Settings.get('auth.account_deletion_enabled')
+      end
+
+      def check_account_enabled
+        return if RSB::Settings.get('auth.account_enabled')
+
+        redirect_to main_app.root_path, alert: t('rsb.auth.account.disabled')
+      end
+
+      def check_deletion_enabled
+        return if RSB::Settings.get('auth.account_deletion_enabled')
+
+        redirect_to account_path, alert: t('rsb.auth.account.deletion_disabled')
+      end
+    end
+  end
+end