rsb-auth 0.9.1 → 0.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3eb90b542687f335662080f73af84d46e55348664b2e99193452555715b5772
-  data.tar.gz: 5f980b6c9c0042304eb15c8f7f114461bece133f02bea55ba088006e4c915b34
+  metadata.gz: 796fc07fdbd135fee58327f302a10989bba92cdbd9d060df01a9b479361b834d
+  data.tar.gz: 8b3f4d530bcedc6b96a9e139f2353474cc1f803cc5833d9a568554c4097517a3
 SHA512:
-  metadata.gz: f333c9fa678dba4bb82b544178ef99654ffbacf1108b2b2bcb7b89b48196357f2a407710a35ab975113a52521f3d00c8680e0f068ed61f76c5f8a5b1fdae9f0b
-  data.tar.gz: 8b26d96dd17ef6892d025faa04704ce502e01e632be6ae37e06c40cbe756d72c3bfaebdc634ddd9ec026aeca79a89a680b427e16bf6ae92f9cab98648d633358
+  metadata.gz: f329589372f35a266a7ba67fde98eed5b1f09d7b5113fc0a74ac81a22b6f5284f39791ef3b5cd3cf759a14f5880b5ae503e30f7d6849b7c503420c51bcdd93e7
+  data.tar.gz: 91565f320f7a1f32db2bab78a451b83b40f0b175325647b2157d31336a21b1c970ccc6d7cfa3150ff9cbaeed5d77d5baa1c1acbe467b0b370f2b6b0cdda9353f

data/app/controllers/rsb/auth/sessions_controller.rb

@@ -51,7 +51,8 @@ module RSB
           cookies.signed[:rsb_session_token] = {
             value: session_record.token,
             httponly: true,
-            same_site: :lax
+            same_site: :lax,
+            secure: Rails.env.production?
           }
           if result.identity.complete?
             redirect_to main_app.root_path, notice: 'Signed in.'

data/app/services/rsb/auth/authentication_service.rb

@@ -1,10 +1,15 @@
 # frozen_string_literal: true
 
+require 'bcrypt'
+
 module RSB
   module Auth
     class AuthenticationService
       Result = Data.define(:success?, :identity, :credential, :error, :unverified)
 
+      # Cached bcrypt digest for timing attack prevention.
+      DUMMY_DIGEST = BCrypt::Password.create('dummy_password_for_timing')
+
       # Authenticates by identifier and password. Only active (non-revoked) credentials
       # are considered. Also checks that the credential's type is currently enabled
       # via settings.
@@ -13,24 +18,29 @@ module RSB
       # @param password [String] password
       # @return [Result] success? with identity/credential, or error message
       def call(identifier:, password:)
-        credential = RSB::Auth::Credential.active.find_by(
-          identifier: identifier.strip.downcase
-        )
+        normalized = identifier.strip.downcase
+        credential = RSB::Auth::Credential.active.find_by(identifier: normalized)
+
+        unless credential
+          # Perform a dummy bcrypt comparison to equalize response timing
+          DUMMY_DIGEST.is_password?(password)
+          return Result.new(success?: false, identity: nil, credential: nil, error: 'Invalid credentials.',
+                            unverified: false)
+        end
 
-        return failure('Invalid credentials.') unless credential
         return failure('Invalid credentials.') if credential.identity.deleted?
 
         # Check credential type is enabled
         credential_type_key = derive_credential_type_key(credential)
         unless RSB::Auth.credentials.enabled?(credential_type_key)
-          return failure('This sign-in method is not available.')
+          return failure(error_message('This sign-in method is not available.'))
         end
 
-        return failure('Account is locked. Try again later.') if credential.locked?
-        return failure('Account is suspended.') if credential.identity.suspended?
+        return failure(error_message('Account is locked. Try again later.')) if credential.locked?
+        return failure(error_message('Account is suspended.')) if credential.identity.suspended?
 
         if credential.authenticate(password)
-          credential.update_columns(failed_attempts: 0)
+          credential.update_columns(failed_attempts: 0) if credential.failed_attempts.positive?
 
           # Per-credential verification check
           verif_required = ActiveModel::Type::Boolean.new.cast(
@@ -60,6 +70,14 @@ module RSB
 
       private
 
+      def error_message(specific_message)
+        if RSB::Settings.get('auth.generic_error_messages')
+          'Invalid credentials.'
+        else
+          specific_message
+        end
+      end
+
       # Derives the credential type key from a credential's STI type.
       # E.g., "RSB::Auth::Credential::EmailPassword" -> :email_password
       #

data/db/migrate/20260216100001_create_rsb_auth_tables.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+class CreateRSBAuthTables < ActiveRecord::Migration[8.1]
+  def change
+    create_table :rsb_auth_identities do |t|
+      t.string :status, null: false, default: 'active'
+      t.json :metadata, default: {}
+      t.datetime :deleted_at
+
+      t.timestamps
+    end
+
+    add_index :rsb_auth_identities, :deleted_at,
+              where: 'deleted_at IS NOT NULL',
+              name: 'index_rsb_auth_identities_on_deleted_at'
+
+    create_table :rsb_auth_credentials do |t|
+      t.references :identity, null: false, foreign_key: { to_table: :rsb_auth_identities }
+      t.string :type, null: false
+      t.string :identifier, null: false
+      t.string :password_digest, null: false
+      t.json :metadata, default: {}
+      t.datetime :verified_at
+      t.string :verification_token
+      t.datetime :verification_sent_at
+      t.integer :failed_attempts, null: false, default: 0
+      t.datetime :locked_until
+      t.datetime :revoked_at
+      t.string :recovery_email
+
+      t.timestamps
+    end
+
+    add_index :rsb_auth_credentials, %i[type identifier],
+              unique: true,
+              where: 'revoked_at IS NULL',
+              name: 'index_rsb_auth_credentials_on_type_and_identifier_active'
+    add_index :rsb_auth_credentials, :verification_token, unique: true
+    add_index :rsb_auth_credentials, :recovery_email
+
+    create_table :rsb_auth_sessions do |t|
+      t.references :identity, null: false, foreign_key: { to_table: :rsb_auth_identities }
+      t.string :token, null: false
+      t.string :ip_address
+      t.string :user_agent
+      t.datetime :last_active_at
+      t.datetime :expires_at, null: false
+
+      t.timestamps
+    end
+
+    add_index :rsb_auth_sessions, :token, unique: true
+    add_index :rsb_auth_sessions, :expires_at
+
+    create_table :rsb_auth_password_reset_tokens do |t|
+      t.references :credential, null: false, foreign_key: { to_table: :rsb_auth_credentials }
+      t.string :token, null: false
+      t.datetime :expires_at, null: false
+      t.datetime :used_at
+
+      t.timestamps
+    end
+
+    add_index :rsb_auth_password_reset_tokens, :token, unique: true
+
+    create_table :rsb_auth_invitations do |t|
+      t.string :email, null: false
+      t.string :token, null: false
+      t.references :invited_by, polymorphic: true, null: true
+      t.datetime :accepted_at
+      t.datetime :expires_at, null: false
+      t.datetime :revoked_at
+
+      t.timestamps
+    end
+
+    add_index :rsb_auth_invitations, :token, unique: true
+    add_index :rsb_auth_invitations, :email
+  end
+end

data/lib/rsb/auth/engine.rb

@@ -28,7 +28,7 @@ module RSB
             class_name: 'RSB::Auth::Credential::EmailPassword',
             authenticatable: true,
             registerable: true,
-            label: 'Email & Password',
+            label: 'Email',
             icon: 'mail',
             form_partial: 'rsb/auth/credentials/email_password',
             admin_form_partial: 'rsb/auth/admin/credentials/email_password'
@@ -41,7 +41,7 @@ module RSB
             class_name: 'RSB::Auth::Credential::UsernamePassword',
             authenticatable: true,
             registerable: true,
-            label: 'Username & Password',
+            label: 'Username',
             icon: 'user',
             form_partial: 'rsb/auth/credentials/username_password',
             admin_form_partial: 'rsb/auth/admin/credentials/username_password'

data/lib/rsb/auth/settings_schema.rb

@@ -67,6 +67,12 @@ module RSB
                   group: 'Features',
                   depends_on: 'auth.account_enabled',
                   description: 'Enable self-service account deletion'
+
+          setting :generic_error_messages,
+                  type: :boolean,
+                  default: false,
+                  group: 'Security',
+                  description: 'When enabled, all login failures return "Invalid credentials" regardless of the actual reason (locked, suspended, disabled). Prevents account enumeration via error message differentiation.'
         end
       end
     end

data/lib/rsb/auth/test_helper.rb

@@ -4,6 +4,11 @@ module RSB
   module Auth
     module TestHelper
       def self.included(base)
+        base.setup do
+          RSB::Auth.reset!
+          Rails.cache.clear
+        end
+
         base.teardown do
           RSB::Auth.reset!
         end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rsb-auth
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.3
 platform: ruby
 authors:
 - Aleksandr Marchenko
@@ -43,14 +43,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.3
 - !ruby/object:Gem::Dependency
   name: useragent
   requirement: !ruby/object:Gem::Requirement
@@ -142,15 +142,7 @@ files:
 - config/locales/credentials.en.yml
 - config/locales/seo.en.yml
 - config/routes.rb
-- db/migrate/20260208100001_create_rsb_auth_identities.rb
-- db/migrate/20260208100002_create_rsb_auth_credentials.rb
-- db/migrate/20260208100003_create_rsb_auth_sessions.rb
-- db/migrate/20260208100004_create_rsb_auth_password_reset_tokens.rb
-- db/migrate/20260208100005_add_verification_to_rsb_auth_credentials.rb
-- db/migrate/20260208100006_create_rsb_auth_invitations.rb
-- db/migrate/20260211100001_add_revoked_at_to_rsb_auth_credentials.rb
-- db/migrate/20260212100001_add_deleted_at_to_rsb_auth_identities.rb
-- db/migrate/20260214172956_add_recovery_email_to_rsb_auth_credentials.rb
+- db/migrate/20260216100001_create_rsb_auth_tables.rb
 - lib/generators/rsb/auth/install/install_generator.rb
 - lib/generators/rsb/auth/views/views_generator.rb
 - lib/rsb/auth.rb

data/db/migrate/20260208100001_create_rsb_auth_identities.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-class CreateRSBAuthIdentities < ActiveRecord::Migration[8.1]
-  def change
-    create_table :rsb_auth_identities do |t|
-      t.string :status, null: false, default: 'active'
-      t.json :metadata, default: {}
-
-      t.timestamps
-    end
-  end
-end

data/db/migrate/20260208100002_create_rsb_auth_credentials.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-class CreateRSBAuthCredentials < ActiveRecord::Migration[8.1]
-  def change
-    create_table :rsb_auth_credentials do |t|
-      t.references :identity, null: false, foreign_key: { to_table: :rsb_auth_identities }
-      t.string :type, null: false
-      t.string :identifier, null: false
-      t.string :password_digest, null: false
-      t.json :metadata, default: {}
-      t.datetime :verified_at
-      t.integer :failed_attempts, null: false, default: 0
-      t.datetime :locked_until
-
-      t.timestamps
-    end
-
-    add_index :rsb_auth_credentials, %i[type identifier], unique: true
-  end
-end

data/db/migrate/20260208100003_create_rsb_auth_sessions.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-class CreateRSBAuthSessions < ActiveRecord::Migration[8.1]
-  def change
-    create_table :rsb_auth_sessions do |t|
-      t.references :identity, null: false, foreign_key: { to_table: :rsb_auth_identities }
-      t.string :token, null: false
-      t.string :ip_address
-      t.string :user_agent
-      t.datetime :last_active_at
-      t.datetime :expires_at, null: false
-      t.timestamps
-    end
-
-    add_index :rsb_auth_sessions, :token, unique: true
-    add_index :rsb_auth_sessions, :expires_at
-  end
-end

data/db/migrate/20260208100004_create_rsb_auth_password_reset_tokens.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-class CreateRSBAuthPasswordResetTokens < ActiveRecord::Migration[8.1]
-  def change
-    create_table :rsb_auth_password_reset_tokens do |t|
-      t.references :credential, null: false, foreign_key: { to_table: :rsb_auth_credentials }
-      t.string :token, null: false
-      t.datetime :expires_at, null: false
-      t.datetime :used_at
-      t.timestamps
-    end
-
-    add_index :rsb_auth_password_reset_tokens, :token, unique: true
-  end
-end

data/db/migrate/20260208100005_add_verification_to_rsb_auth_credentials.rb

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-class AddVerificationToRSBAuthCredentials < ActiveRecord::Migration[8.1]
-  def change
-    add_column :rsb_auth_credentials, :verification_token, :string
-    add_column :rsb_auth_credentials, :verification_sent_at, :datetime
-    add_index :rsb_auth_credentials, :verification_token, unique: true
-  end
-end

data/db/migrate/20260208100006_create_rsb_auth_invitations.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-class CreateRSBAuthInvitations < ActiveRecord::Migration[8.1]
-  def change
-    create_table :rsb_auth_invitations do |t|
-      t.string :email, null: false
-      t.string :token, null: false
-      t.references :invited_by, polymorphic: true, null: true
-      t.datetime :accepted_at
-      t.datetime :expires_at, null: false
-      t.datetime :revoked_at
-
-      t.timestamps
-    end
-
-    add_index :rsb_auth_invitations, :token, unique: true
-    add_index :rsb_auth_invitations, :email
-  end
-end

data/db/migrate/20260211100001_add_revoked_at_to_rsb_auth_credentials.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-class AddRevokedAtToRSBAuthCredentials < ActiveRecord::Migration[8.1]
-  def change
-    add_column :rsb_auth_credentials, :revoked_at, :datetime, null: true
-
-    # Replace full unique index with partial unique index scoped to active credentials.
-    # This allows the same [type, identifier] to exist multiple times as long as
-    # only one is active (revoked_at IS NULL). Supported by PostgreSQL and SQLite 3.8.0+.
-    remove_index :rsb_auth_credentials, %i[type identifier]
-    add_index :rsb_auth_credentials, %i[type identifier],
-              unique: true,
-              where: 'revoked_at IS NULL',
-              name: 'index_rsb_auth_credentials_on_type_and_identifier_active'
-  end
-end

data/db/migrate/20260212100001_add_deleted_at_to_rsb_auth_identities.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-class AddDeletedAtToRSBAuthIdentities < ActiveRecord::Migration[8.1]
-  def change
-    add_column :rsb_auth_identities, :deleted_at, :datetime, null: true
-    add_index :rsb_auth_identities, :deleted_at,
-              where: 'deleted_at IS NOT NULL',
-              name: 'index_rsb_auth_identities_on_deleted_at'
-  end
-end

data/db/migrate/20260214172956_add_recovery_email_to_rsb_auth_credentials.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-class AddRecoveryEmailToRSBAuthCredentials < ActiveRecord::Migration[8.0]
-  def change
-    add_column :rsb_auth_credentials, :recovery_email, :string
-    add_index :rsb_auth_credentials, :recovery_email
-  end
-end